403 Forbidden when sending request to logic app workflow

Bacol, Jaypee B 5 Reputation points
2024-07-05T15:05:50.2233333+00:00

Hi, below is the payload that triggers my logic app workflow. I also have APIM where I configured the endpoint url of the workflow

"SamplePayload": [

                {

                    "code": "OKWP",

                    "comment": "2 is not 2a"

                }

            ],

In my testing, whenever I tried to remove either of "not" or "2a", it succeeds.

However, if there is "not" or "2a", it triggers 403 forbidden.

I really don't know what happen. Please help me.

Azure Communication Services
Azure Communication Services
An Azure communication platform for deploying applications across devices and platforms.
786 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,964 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganeshkumar R 510 Reputation points
    2024-07-05T15:39:11.6966667+00:00

    It seems that special characters in your JSON payload might be causing issues with your Azure API Management (APIM) policy or configuration, leading to a 403 Forbidden response. This is often related to security policies set in APIM, such as validation policies that might be inadvertently blocking certain values or combinations of values.

    To troubleshoot this issue, please follow these steps:

    1. Review APIM Policies:
      • Go to your APIM instance in the Azure Portal.
      • Navigate to the relevant API, and then to the specific operation that's experiencing issues.
      • Review the inbound, backend, and outbound policies applied to this operation.
      • Look for any validation policies such as validate-content, check-header, or custom policies that might be causing the issue.
    2. Check Logs:
      • Enable logging to track the requests and responses passing through APIM.
      • This can help you identify if the payload is being modified or if a specific policy is leading to the 403 Forbidden response.
    3. Simplify and Test:
      • Test your workflow with a simplified payload and incrementally add back elements until the 403 Forbidden is triggered.
      • This can help identify the specific part of the payload causing the issue.

    Here are some common scenarios in APIM policies that might cause such issues:

    Example Inbound Policy

    Consider inbound policies like below, which might unintentionally block certain payloads:

    
<validate-content content-type="application/json">

    <validation>

        <allowed-values>

            <value>2 is 2a</value>

        </allowed-values>

    </validation>

</validate-content>

    Ensure there are no such restrictions causing the 403 Forbidden response.

    Example Custom Policy

    Check for any custom policies that might be checking the payload content:

    
<inbound>

    <base />

    <set-variable name="payload" value="@(context.Request.Body.As<JObject>(true))" />

    <choose>

        <when condition="@((string)context.Variables.GetValueOrDefault<JObject>("payload")["SamplePayload"][0]["comment"]).Contains("not") || 

                         (string)context.Variables.GetValueOrDefault<JObject>("payload")["SamplePayload"][0]["comment"]).Contains("2a")">

            <return-response>

                <set-status code="403" reason="Forbidden" />

            </return-response>

        </when>

    </choose>

</inbound>

    This example shows a custom policy that explicitly checks the payload and returns 403 if certain conditions are met.

    Testing Without APIM

    As a part of the troubleshooting process, you can directly test your Logic App workflow without going through APIM. This will help you confirm if the issue is within APIM or the Logic App itself:

    1. Get the Logic App Workflow URL:
      • Go to your Logic App in the Azure Portal.
      • In the "Overview" section, you will find the HTTP POST URL for triggering the Logic App.
    2. Test the Payload:
      • Use tools like Postman or cURL to send the payload directly to the Logic App's endpoint.
      • Check if the Logic App processes the payload successfully without triggering a 403 Forbidden.

    Example Direct Logic App Test with cURL

    
curl -X POST \

  'https://<logic-app-url>?api-version=2016-10-01' \

  -H 'Content-Type: application/json' \

  -d '{

        "SamplePayload": [

            {

                "code": "OKWP",

                "comment": "2 is not 2a"

            }

        ]

      }'

    Update APIM to Handle Special Characters

    If the issue is confirmed to be with APIM, you might need to update your policies to properly handle special characters or modify them as necessary.

    Removing Sensitive Policies Temporarily

    Temporarily remove or modify any strict validation policies:

    1. Navigate to your APIM instance:
      • Go to the API Management service in the Azure Portal.
    2. Find the API and Operation:
      • Under APIs, find the API and operation you are testing.
    3. Modify Policies:
      • Check inbound, outbound, and backend policy sections.
      • Comment out or modify any policies that could be denying the request.

    Example of a Simplified Policy:

    Remove or relax character restrictions if found:

    
<inbound>

    <base />

    <!-- Temporarily remove or comment out strict validation policies -->

    <!-- <validate-content content-type="application/json">

        <validation>

            <allowed-values>

                <value>???</value>

            </allowed-values>

        </validation>

    </validate-content> -->

</inbound>

    By following these steps, you should be able to isolate and address the issue causing the 403 Forbidden response with your Logic Apps and APIM setup.