cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
ID3
New Member

Hot to restrict access for HTTP Request Trigger

Dear Experts,
I have simple flow based on "When a HTTP request is received" trigger.

ID3_0-1618785813479.png

Using the link from the trigger, anyone can sent HTTP request and get response from my Flow. And this is really the problem.

How I can restrict possibility to get response from my flow for anyone except certain users?

(Note: I don't want to use some kind of Passwords which I can provide because I can't control that someone of my approved users will not share this password with someone else, and I will not be able determine who exactly use this password - the user approved by me or not.)


Sincerely ID3 



13 REPLIES 13
Expiscornovus
Super User II
Super User II

Hi @ID3,

 

I don't know if this will work for you situation, but you might be able to check the user-agent value of the POST request and add a trigger condition to your When a HTTP request is received trigger action.

 

Below is an example of a trigger condition which only allows requests from other Power Automate flows and for instance not Windows PowerShell.

 

@startswith(triggeroutputs()['headers']['user-agent'], 'azure-logic-apps/1.0')

 triggercondition_azurelogicapps_useragent.png

Dear Expiscornovus,

In my case all permitted to access to my Flow users are members of Office 365 groups.
Maybe it is useful information for the solution finding.

One more fact - it is quite enough to restrict the access only for HTTP request been sent from Power Query (Excel). And perhaps in this case the Power Query "Access Web content" options can be used.

ID3_0-1618822413222.png

Paulie78
Super User III
Super User III

I actually wrote an article on how to secure the HTTP trigger, check it out and see if it of use to you:

Secure the HTTP Request Trigger in Microsoft Power Automate 

Hi @ID3,

 

It is still a workaround based on the user agent string, but you can probably use this trigger condition to restrict only to Power Query (web.contents source)

@startswith(triggeroutputs()['headers']['user-agent'], 'Microsoft.Data.Mashup')

 

@Paulie78, nice, very useful article 🙂

However, I think ID3 wanted to avoid using a key or a password like stated in the opening post.

Paulie78
Super User III
Super User III

@Expiscornovus - That will teach me not to read the question properly! Thank you for putting me straight!

ID3
New Member

Dear @Paulie78 
The article about HTTP Request Secure is realy nice. It means I am not alone who met the same problem and it is worth to work it out more.

Dear @Expiscornovus 
Your suggested Microsoft.Data.Mashup check is a good, and I think should be used in any case. 
In case of PowerQuery using with Windows or Organizational account credentials, does it mean that the data about user account (login/user name) can be taken from the trigger/Request? 

Is there any MS Services can provide information about all MS Flow transactions with more details than I can see in Power Automate Runs History?

Sincerely ID3

Expiscornovus
Super User II
Super User II

Hi @ID3,

 

As far as I could tell it wasn't showing any data about the account which was used.

 

Below is an example of the raw input of the received HTTP request when I was testing it with Power Query in Excel.

 

{
    "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip,deflate",
        "Expect": "100-continue",
        "Host": "prod-21.uksouth.logic.azure.com",
        "User-Agent": "Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=304225)",
        "Content-Length": "2",
        "Content-Type": "application/json"
    },
    "body": {}
}

 

Dear @Expiscornovus
Here is what I have and waht I used.
Receiver:

ID3_0-1619256787006.png
And here is the data.

{
    "variables": [
        {
            "name": "Trigger",
            "type": "String",
            "value": "{\"name\":\"manual\",\"inputs\":{\"method\":\"POST\"},\"outputs\":{\"headers\":{\"Connection\":\"Keep-Alive\",\"Accept\":\"application/json\",\"Accept-Encoding\":\"gzip,deflate\",\"Expect\":\"100-continue\",\"Host\":\"prod-96.westeurope.logic.azure.com\",\"User-Agent\":\"Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=3xxx5)\",\"Content-Length\":\"39\",\"Content-Type\":\"application/json\"},\"body\":{\"Type\":\"MyData\",\"Param\":\"MyData\"}},\"startTime\":\"2021-04-24T09:25:56.997722Z\",\"endTime\":\"2021-04-24T09:25:56.997722Z\",\"trackingId\":\"4xxxxxxb-5xxx-4xxe-xxxxxxxx1\",\"clientTrackingId\":\"0XXXXXXXXXXXXXXXXXXXXXXXXXX4\",\"originHistoryName\":\"0XXXXXXXXXXXXXXXXXXXXXXX\",\"status\":\"Succeeded\"}{\"Type\":\"MyData\",\"Param\":\"MyData\"}"
        }
    ]
}

For sending I used this one request

let
    urlApi="https://prod-96.westeurope.logic.......",
    Request = Json.Document(Web.Contents(urlApi, [ Headers=[#"Accept"="application/json", #"content-type" = "application/json"], Content=Text.ToBinary("{""Type"": ""SiteInfo"", ""Param"": """& Site_Param &"""}")])),
    #"Converted to Table" = Record.ToTable(Request),
    #"Renamed Columns" = Table.RenameColumns(#"Converted to Table",{{"Name", "Parameter"}}),
    #"Changed Type" = Table.TransformColumnTypes(#"Renamed Columns",{{"Value", type text}, {"Parameter", type text}})

in
#"Changed Type"

With this permissions:

ID3_1-1619257180163.png

It is pretty interesting why you have not "originHistoryName" and "clientTrackingId" but I have. Did you use POST or GET?
But however, I don't know are these values can help with my problem or not. ...



The problem is still not solved and important.

Sincerely ID3.

Hi Expiscornovus,

 I've got a question for you, is there any way to send back an error such as 400 Bad Request or 401 Forbidden if the request doesn't satisfay the conditional trigger?

A the moment if I call the https endpoint I receive a standar "202 Accepted" code...

 

Thank you,

Stefano.

Expiscornovus
Super User II
Super User II

Hi @ZaffaSte,

 

You can remove that trigger condition and use a condition action instead. Use that startswith expression in there and use a response action to send back a HTTP 400.

https://docs.microsoft.com/en-us/azure/connectors/connectors-native-reqres#add-a-response-action

 

Below is an example of that.

 

400response.png

ZaffaSte
New Member

Hi @Expiscornovus ,

 thank you for your reply: easy peasy lemon squeezy and it's true, but in this way the flow start, there's no way to default 202 reply other than start a flow?

 

Thank you so much,

Stefano

Expiscornovus
Super User II
Super User II

Hi @ZaffaSte,

 

I know there is a schema validation setting which you can enable in the settings which can return a HTTP 400 instead of a 200 if there is a mismatch.

 

But as far as I am aware that is only for the body, not the headers like user-agent.

 

schemavalidation_400.png

Thank you @Expiscornovus I knew the "Schema Validation" option, but as you wrote in your reply is all about the body of the request not the header.

Helpful resources

Announcements
MPA_User Group Leader_768x460.jpg

Manage your user group events

Check out the News & Announcements to learn more.

V3_PVA CAmpaign Carousel.png

Community Challenge - Giveaways!

Participate in the Power Virtual Agents Community Challenge

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Users online (1,080)