My experiences from creating a Logic Apps connector in API Management

Recently, I created a custom Logic Apps connector within Azure API Management.  This blog explains the choices I needed to make and the challenges I’ve faced.

Scenario

In some scenarios, you need to create a custom connector for Logic Apps.  You can leverage the Azure API Management consumption tier to achieve this, in case your backend system has an API.  Creating your custom connector like this, comes with some advantages:

  • Better performance: you control the throttling, not Microsoft
  • Full control: you control the complete lifecycle of the connector, not Microsoft
  • Better security: you can leverage Managed Service Identity to connect to systems that support it
  • Cheaper: you only pay for native Logic Apps actions and the first 1M APIM executions are free

Swagger

In the end, you need to create a Swagger definition that is optimized for Logic Apps.  This Visual Studio Code extension was very helpful during the development, as you can immediately preview the Swagger UI result.  For Logic Apps, these are the tweaks you can do:

  • Provide a summary for each operation
  • Provide a description for each operation and request/response parameter
  • Provide an x-ms-summary for each request/response parameter
  • Provide an x-ms-visibility to control the user experience

Conn1

Parameters

In my case, I’ve created a connector for Azure Data Lake Store Gen2.  The most logical way to pass parameters would have been through the uri path (e.g. api/{FileSystemName}/{FolderPath}/{FileName}).  However, because the FolderPath potentially contains slashes – which is not supported in Open API specifications – I needed to find another solution.  Most Logic Apps connectors use body parameters, but this forces base64 encoding/decoding of the file content.  I prefered not the touch the body content, so the HTTP headers were my only option.

Conn2

APIM subscription key

I wanted to rely on the default APIM subscription key frontdoor security.  Swagger has out-of-the-box support for describing this kind of api-key security, however it turned out that Logic Apps does not support this.  As an alternative, I decided to add this as a property to each operation.

Conn3

If you have a detailed look, you see that the APIM subscription key is passed via the HTTP Authorization header.  Why?  Because Logic Apps obfuscates this HTTP header by default.

Conn4

Of course, you also need to configure API Management to use this HTTP header for the subscription key.  This can be done in the API settings.

Conn5

Swagger endpoint

I was in the need for an endpoint to host the Swagger definition.  This endpoint should not be secured, so that’s why this had to be hosted in a separate API.  CORS must be allowed and the Swagger definition is returned as a mocked response.  Let me know if you know a better option!

<inbound>
   <base />
   <cors>
      <allowed-origins>
         <origin>*</origin>
      </allowed-origins>
     <allowed-methods>
        <method>GET</method>
     </allowed-methods>
    <allowed-headers>
        <header>*</header>
    </allowed-headers>
   </cors>
   <mock-response status-code="200" content-type="application/json" />
</inbound>

Backend security

In my scenario, I wanted to leverage Managed Service Identity to authenticate against Azure Data Lake Store.  I needed to reuse the bearer token in the backend call, but also in a send-request policy.  That why I’ve requested the MSI token once and stored it as a bearer token in a variable.

<authentication-managed-identity resource="https://storage.azure.com/" output-token-variable-name="msiToken" ignore-error="false" />
<set-variable name="adBearerToken" value="@("Bearer " + (string)context.Variables["msiToken"])" />

Conclusion

My custom connector is nothing more than a good Swagger definition, with some API Management policies in the back that perform the conversions towards the backend API’s.  I had to take some shortcuts, which are described in the blog.  Do you know other ways to achieve similar things?  Please let me know in the comments section!

Thank you
Toon

2 thoughts on “My experiences from creating a Logic Apps connector in API Management

  1. Pingback: December 9, 2019 Weekly Update on Microsoft Integration Platform & Azure iPaaS | Hooking Stuffs Together

  2. Pingback: December 9, 2019 Weekly Update on Microsoft Integration Platform & Azure iPaaS - BizTalkGurus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s