cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Reply
BeckyBertram
Frequent Visitor

Best way to secure HTTP call to child flow?

โ€Ž04-17-2020 12:51 PM

Although flows that are bundled in a solution can call each other natively, flows that have a SharePoint manual trigger are not allowed to be included in a Power Automate solution. That means I have to create my flow with the SharePoint trigger outside the solution, and then call the child flow (inside the solution) using an HTTP call. My question is: what's the best way to secure that call?

I've tried using the API Management service in Azure to wrap the URL, but I'm struggling because all the examples are for calling Logic Apps and are about 5 degrees away from what I'm trying to do, which is to simply add security to my HTTP call. Can anyone provide any guidance? (Am I missing something really simple?)

Savvy Technical Solutions Listen // Advise // Develop // Teach
Labels:
Message 1 of 5
416 Views
1 ACCEPTED SOLUTION

Accepted Solutions
efialttes
Super User III
Super User III

โ€Ž04-17-2020 07:39 PM
Hi!
IMHO one of the bests questions posted this month. The problem you describe happens also when implementing Open.URL actions in Adaptive Cards to call Flows (dirty trick, I know)

Some interesting approaches in the following links:
https://www.about365.nl/2018/11/13/securing-your-http-request-trigger-in-flow/

https://community.dynamics.com/365/b/theressomethingaboutdynamics365/posts/secure-the-receiving-flow...

http://ratsubsharewall.blogspot.com/2019/11/secure-http-request-to-msflow.html?m=1

Feel free to discuss pros and cons, or suggest any other approach
Thanx!


Each time you click on any of our inspiring answers 'Thumb up' icon...
...an ewok scapes from the stormtroopers.

Be grateful, Thumbs up! Save the Galaxy for free!

Escribo sobre Power Automate en:
https://medium.com/anyone-can-automate/

Proud to be a Flownaut!



View solution in original post

Message 2 of 5
400 Views
4 REPLIES 4
efialttes
Super User III
Super User III

โ€Ž04-17-2020 07:39 PM
Hi!
IMHO one of the bests questions posted this month. The problem you describe happens also when implementing Open.URL actions in Adaptive Cards to call Flows (dirty trick, I know)

Some interesting approaches in the following links:
https://www.about365.nl/2018/11/13/securing-your-http-request-trigger-in-flow/

https://community.dynamics.com/365/b/theressomethingaboutdynamics365/posts/secure-the-receiving-flow...

http://ratsubsharewall.blogspot.com/2019/11/secure-http-request-to-msflow.html?m=1

Feel free to discuss pros and cons, or suggest any other approach
Thanx!


Each time you click on any of our inspiring answers 'Thumb up' icon...
...an ewok scapes from the stormtroopers.

Be grateful, Thumbs up! Save the Galaxy for free!

Escribo sobre Power Automate en:
https://medium.com/anyone-can-automate/

Proud to be a Flownaut!



View solution in original post

Message 2 of 5
401 Views
Jcook
Super User III
Super User III

โ€Ž04-17-2020 07:43 PM
Hello @BeckyBertram

Have you tried using Secure inputs / outputs?

To enable this simply go to the action you want to apply this to.
Click the 3 dots,
Click settings,
If the action supports secure inputs and outputs you will be able to enable to enable this here.

Since Flow is on Cloud tenant in azure. You should be safe.

Did I answer your question? Mark my post as a solution!

If you like my post please hit the Thumbs Up

Proud to be a Flownaut!


Check out my blog for Power Automate tips,
tricks, and guides
FlowAltDelete





Message 3 of 5
399 Views
BeckyBertram
Frequent Visitor
In response to efialttes

โ€Ž04-21-2020 07:00 AM

Thanks. At first I was trying to use API management but then realized all I'm doing is obfuscating the call, but that doesn't really secure things from the receiving end. I didn't really want logic inside my flow having to check any values, because by then, I've used up one of my flow runs. I like the idea of passing in a token into the trigger, and then having a trigger condition. That way, if someone attempted some sort of denial of service attack, it's Microsoft's problem and not mine, since it wouldn't count toward my flow runs and my code wouldn't execute.

Savvy Technical Solutions Listen // Advise // Develop // Teach
Message 4 of 5
373 Views
BeckyBertram
Frequent Visitor
In response to Jcook

โ€Ž04-21-2020 07:02 AM

Does securing the inputs and outputs do anything more than hide those inputs and outputs from the UI? I'm not so worried about people internally having access to the right stuff, but more hackers getting a hold of the flow's HTTP trigger URL and firing it.

Savvy Technical Solutions Listen // Advise // Develop // Teach
Message 5 of 5
370 Views
0 Kudos

Helpful resources

Announcements
MBAS Attendee Badge

Claim Your Badge & Digital Swag!

Check out how to claim yours today!

MPA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

secondImage

Are Your Ready?

Test your skills now with the Cloud Skill Challenge.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All
Users online (60,434)