Refresh token for managed API connections in VS Code

[h-t-w]

Hi.

I am developing a LogicApp locally in VS Code and I have a hard time figuring out how to refresh the tokens of managed API connections.

When I am creating a new connection the relevant information is saved in the connections.json and in local.settings.json. Additionally, I get an info in VS Code that the connection is only valid for n days - as is also stated in the official documentation. Unsurprisingly, I get an error if I try to run the LogicApp after these n days are passed (Error: 'Lifetime validation failed. The token is expired'). So far as expected.

What I am unable to figure out is how I am supposed to refresh the tokens manually/programmatically after they expired. Below excerpts from the json files.

connection.json

"azurevm": {
      "api": {
        "id": "/subscriptions/XXXXX/providers/Microsoft.Web/locations/northeurope/managedApis/azurevm"
      },
      "connection": {
        "id": "/subscriptions/XXXXX/resourceGroups/XXXXX/providers/Microsoft.Web/connections/azurevm"
      },
      "connectionRuntimeUrl": "XXXXX",
      "authentication": {
        "type": "Raw",
        "scheme": "Key",
        "parameter": "@appsetting('AZUREVM_CONNECTION_KEY')"
      }

local.settings.json

"AZUREVM_CONNECTION_KEY": "eyJ0..........",

Any help would be greatly appreciated.

Best
h-t-w

[adrian-pritchard]

Hi h-t-w

I was wondering if you'd had any luck in solving this problem? I'll got the same issue and can't find a solution anywhere :(

A

[h-t-w]

@adrian-pritchard
Sorry for getting back to you with such a delay.

I wasn't able to find a solution here. Two possible workarounds:

• Depending on the number of connections (or dependencies) on quick fix is deleting the connection in Azure portal and setting up a new one, but doing this every 7 days will become annoying
• What I am currently doing is not running the LA locally anymore. We have now a "development" LA and a "production" LA. Basic workflow is like this: Develop locally, commit changes, push to Azure DevOps, deployment of workflow to "development" LA is triggered, testing workflows, end finally if everything works out push to production.

[sschutten]

The first workaround doesn't seem to work in the current version (1.0.19). The token is not added to the local.settings.json when I recreate the connection and save the workflow. I had to revert to 1.0.14 where this does work.

[siddheshdp]

Any luck to solve this problem?

[karlrissland]

I am pretty sure I have the same problem.
I am developing locally and since I am using Azure Connectors, it made me pick a region, I picked region A. Created my Azure Connector which I see created in the resource group. Everything works fine.

Need to move to another region for development, changed the managedApiConnections API.id, connection.id, and connectionRuntimeUrl to match a connection created in the new region. Opened the designer and everything rendered fine.

When I try to use the workflow for locally, I get an error... "Error from token exchange: Invalid Authorization header. Authorization header is expected in the form 'Bearer token' or 'Key token'."

Can't find a way to refresh this. Any help would be appreciated.

[enhendrickson]

So is this basically a "this does suck right now" from Microsoft with the hope that it will eventually be fixed? @h-t-w It's pretty bad.

[FlipFlop17]

Any updates on this?
I am suprised how is this not a larger priority to deal with. So basically if you try tu run an application that you deployed 7 days ago, for example some new features are to be implemented, you can't run it from VS code because the tokens are expired??!
Completely devastating.

[anthonywhite]

did this ever get resolved? Got the same problem

[wsilveiranz]

We are actively working on improvements for this on the VS Code extension. We don't have an ETA yet, but will keep this discussion posted as we push those updates.

[anthonywhite]

We are actively working on improvements for this on the VS Code extension. We don't have an ETA yet, but will keep this discussion posted as we push those updates.

any news @wsilveiranz ? still an issue. How much is this being "actively" worked on?

[wsilveiranz]

We are actively working on improvements for this on the VS Code extension. We don't have an ETA yet, but will keep this discussion posted as we push those updates.

This has been implemented now and is available at the VS Code Extension - checks are executed at project start and debug start.

[Manish-Upadhyaya]

Is there a work around until this gets fixed? Started a project recently to convert consumption-based logic apps to LA Standard. Need to update the API connection after seven days for VS code local development.

[zzznz27]

Any update on this one?

It seems to be a bearer token its using so if there is a method of calling the api manually that would be helpful

[sschutten]

I'm using the following as a temporary solution in the meantime. Maybe it benefits you too.

Add a script named Refresh-Connections.ps1 to the root of you LogicApps folder and use the following content. This script assumes you have the Azure CLI installed and are signed in to the right subscription.

# Function to decode Base64Url encoded strings (used in JWT tokens)
function Decode-Base64Url {
    param ([string]$base64Url)
    $remainder = $base64Url.Length % 4
    if ($remainder -ne 0) {
        $base64Url += '=' * (4 - $remainder)
    }
    $base64Url = $base64Url.Replace('-', '+').Replace('_', '/')
    return [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($base64Url))
}

$connections = Get-Content 'connections.json' | Out-String | ConvertFrom-Json
$appSettings = Get-Content 'local.settings.json' | Out-String | ConvertFrom-Json

foreach ($connectionProperty in $connections.managedApiConnections.PSObject.Properties) {
    $connection = $connections.managedApiConnections.$($connectionProperty.Name)

    $connectionId = $connection.connection.id

    # Substitute all ocurrences of @appsetting('<key>') with the actual value from the app settings in the connection id
    foreach ($key in $appSettings.Values.PSObject.Properties.Name) {
        $connectionId = $connectionId -replace "@{appsetting\('$key'\)}", $appSettings.Values."$key"
    }

    $authenticationParameter = $connection.authentication.parameter

    # Skip if the authentication parameter doesn't use the format @appsetting('<key>')
    if (-not ("$authenticationParameter" -match "@appsetting\('(.*)'\)")) {
        continue
    }

    $appSettingName = $Matches[1]

    # Split JWT into its parts
    $parts = $appSettings.Values.$appSettingName -split '\.'

    # Decode the payload (the second part)
    $payloadJson = Decode-Base64Url $parts[1]

    # Convert the payload to an object
    $payload = $payloadJson | ConvertFrom-Json

    # Get the expiration time (`exp`) and convert it to a readable datetime
    $expTime = [System.DateTimeOffset]::FromUnixTimeSeconds($payload.exp).DateTime

    # Get the current time
    $currentTime = Get-Date

    # Compare expiration time with current time
    if ($currentTime -lt $expTime) {
        "The token is still valid. It will expire on $expTime."
        continue
    }

    Write-Output "Refreshing connection $connectionId"

    # Generate a new connection key with a validity of 30 days
    $connectionKey = az rest --method post `
        --url https://management.azure.com$connectionId/listConnectionKeys?api-version=2018-07-01-preview `
        --body '{ \"validityTimeSpan\": \"30\" }' --query connectionKey --output tsv

    # Update the app setting with the new connection key
    $appSettings.Values.$appSettingName = $connectionKey
}

# Save the updated app settings
$appSettings | ConvertTo-Json -Depth 100 | Set-Content 'local.settings.json'

Now you could run this script and your connection keys will be updated if they expired.

To make it even more conventient I added a task to the tasks.json:

{
    "label": "refresh-connections",
    "detail": "Refresh the connection keys in Key Vault if they're outdated",
    "type": "shell",
    "command": "${workspaceFolder}/LogicApps/Refresh-Connections.ps1",
    "presentation": {
        "echo": true,
        "reveal": "always",
        "focus": false,
        "panel": "shared",
        "showReuseMessage": true,
        "clear": false
    },
    "options": {
        "cwd": "${workspaceFolder}/LogicApps"
    }
}

Then in the task with "label": "func: host start" you add the following:
"dependsOn": "refresh-connections"

From that point every time you start the logic app it will check if all connections are valid, refresh them if neccessary and then continue.