cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
neerajsu
Helper I
Helper I

Serious security issue? Or Default functionality? Power Apps to Power Automate (PowerApps Trigger)

‎06-08-2021 01:00 PM

Summary:

When calling Microsoft Flow from PowerApps, there is Absolutely no trust-free-secure way to validate which user called the flow from Power Apps.

Scenario:

Lets say I have a power automate flow with the following features/requirements: 

  1. I have a flow that provides user meta data and user specific information for a user. 
  2. To achieve this, I require the username/email as input, to pull this information from somewhere (Let's say some database)
  3. This is because meta data is sensitive to each user. Meaning a users shouldn't have access to some other user's information


Lets say I have a power app with the following features/requirements:

 

  1. For the logged in user I want to show his/her user specific information
  2. I also want to allow the user to edit and save this information


To achieve this, I can pass a parameter (say username/email) to the flow from power apps using PowerApps trigger. Simple right?

Well, there is clearly a security issue here if you solve the problem this way. Here's why

 

  1. Open power apps. 
  2. Open the developer tools (F12). Look at the network tab.
  3. Do the action which retrieves/updates information from power apps UI.
  4. You should see a Http call going to something like (https://unitedstates-002.azure-apim.net/invoke). 
  5. Right click the call and copy as curl.
  6. Open postman and import the curl command. Notice the Body in the post request.
  7. Now you can just change the request body to whatever email you like. In this scenario, the post body would be something like {"VarEmailID_Value":"someuser@somedomain.com"}
  8. Voila, now you can retrieve any persons information and even change it as you wish (In this scenario)

 

Since Microsoft Flow's PowerApps trigger has no way to provide user context information, the backend flow cannot be validated. It has to trust that the caller doesn't mess with the body. Essentially making it unsecure to use Microsoft flow as an API to power apps.

 

If you create a normal flow without a power apps trigger, you actually have user context information. You don't need to send as an input since flow already has access to the authenticated user's context. This same functionality should be provided along with power apps trigger.

 

So why is Power Automate's power apps trigger built this way? It's not like power apps trigger needs to be accessed without an authenticated user. Only powerapps application can use this, and all power apps applications are Microsoft authenticated users. Isn't Power Apps marketed to be used in tandem with flow? All Microsoft needs is to, send the call via authentication router and send the user context to the trigger. The user has already authenticated from power apps anyway.

 

This is a major security issue, making power apps + power automate, in my opinion, unsecure to attacks. So if you have a PowerApp that is available to the entire organization, you are most definitely widely open to attacks and have to ensure that you don't send any secure data that is being retrieved from power apps. You have to assume that all employees have access to anything that the backend flow can provide.

The only workaround I see, is creating a custom PCF component that reads the GraphAPI key from browser's local storage and pass it along with the request to flow trigger. Then in the flow, I make a GraphAPI get request to an endpoint with that token and see if that fails with a forbidden error, and only proceed if doesn't. Although it's a solution, it's an ugly and terrible solution to a problem that should be fixable very easily by Microsoft.

If I missed something, or If someone has a better solution, I'd like to know.

Conclusion

Need PowerApps trigger v3 that provides user context information of the calling user from power apps.

Message 1 of 3
782 Views
2 REPLIES 2
arpost
Advocate IV
Advocate IV

‎01-05-2022 07:47 PM

@neerajsu , thanks for posting this comprehensive summary. I have wondered about this especially now that Power Apps is becoming easier to make available to external users/customers, but that raises a major question: is there/are there plans for a native Power Apps secured way to pass user context/identity to a flow, or are we out of luck?

 

Would really love to see a Microsoft rep weigh in on this.

Message 2 of 3
672 Views
0 Kudos
arpost
Advocate IV
Advocate IV

‎01-06-2022 12:18 PM

I was doing some more research into this and wondered if, perhaps, a native Microsoft solution would be configuring a Power Automate flow to use the "Run only" option. I haven't tested this but was curious if this would help achieve the goal of providing user context since the user invoking the flow from the Power App will be the "triggering user." I'd sure think there's a way to then capture the triggering user identity within the flow.

 

Saw a post by @RandyHayes on a related discussion here.

 

Thoughts? Yea/nay?

Message 3 of 3
664 Views
0 Kudos

Helpful resources

Announcements
Announcement image

Power Platform Connections - Episode 7 | March 30, 2023

Episode Seven of Power Platform Connections sees David Warner and Hugo Bernier talk to Dian Taylor, alongside the latest news, product reviews, and community blogs.     Use the hashtag #PowerPlatformConnects on social media for a chance to have your work featured on the show.  

Announcement image

Announcing | Super Users - 2023 Season 1

Super Users – 2023 Season 1    We are excited to kick off the Power Users Super User Program for 2023 - Season 1.  The Power Platform Super Users have done an amazing job in keeping the Power Platform communities helpful, accurate and responsive. We would like to send these amazing folks a big THANK YOU for their efforts.      Super User Season 1 | Contributions July 1, 2022 – December 31, 2022  Super User Season 2 | Contributions January 1, 2023 – June 30, 2023    Curious what a Super User is? Super Users are especially active community members who are eager to help others with their community questions. There are 2 Super User seasons in a year, and we monitor the community for new potential Super Users at the end of each season. Super Users are recognized in the community with both a rank name and icon next to their username, and a seasonal badge on their profile.  Power Apps  Power Automate  Power Virtual Agents  Power Pages  Pstork1*  Pstork1*  Pstork1*  OliverRodrigues  BCBuizer  Expiscornovus*  Expiscornovus*  ragavanrajan  AhmedSalih  grantjenkins  renatoromao    Mira_Ghaly*  Mira_Ghaly*      Sundeep_Malik*  Sundeep_Malik*      SudeepGhatakNZ*  SudeepGhatakNZ*      StretchFredrik*  StretchFredrik*      365-Assist*  365-Assist*      cha_cha  ekarim2020      timl  Hardesh15      iAm_ManCat  annajhaveri      SebS  Rhiassuring      LaurensM  abm      TheRobRush  Ankesh_49      WiZey  lbendlin      Nogueira1306  Kaif_Siddique      victorcp  RobElliott      dpoggemann  srduval      SBax  CFernandes      Roverandom  schwibach      Akser  CraigStewart      PowerRanger  MichaelAnnis      subsguts  David_MA      EricRegnier  edgonzales      zmansuri  GeorgiosG      ChrisPiasecki  ryule      AmDev  fchopo      phipps0218  tom_riha      theapurva  takolota     Akash17  momlo     BCLS776  Shuvam-rpa     rampprakash  ScottShearer     Rusk  ChristianAbata     cchannon  Koen5     a33ik  Heartholme     AaronKnox  okeks      Matren   David_MA     Alex_10        Jeff_Thorpe        poweractivate        Ramole        DianaBirkelbach        DavidZoon        AJ_Z        PriyankaGeethik        BrianS        StalinPonnusamy        HamidBee        CNT        Anonymous_Hippo        Anchov        KeithAtherton        alaabitar        Tolu_Victor        KRider        sperry1625        IPC_ahaas      zuurg    rubin_boer   cwebb365   Dorrinda   G1124   Gabibalaban   Manan-Malhotra   jcfDaniel   WarrenBelz   Waegemma   drrickryp   GuidoPreite    If an * is at the end of a user's name this means they are a Multi Super User, in more than one community. Please note this is not the final list, as we are pending a few acceptances.  Once they are received the list will be updated. 

Announcement image

Register now for the Business Applications Launch Event | Tuesday, April 4, 2023

Join us for an in-depth look into the latest updates across Microsoft Dynamics 365 and Microsoft Power Platform that are helping businesses overcome their biggest challenges today.   Find out about new features, capabilities, and best practices for connecting data to deliver exceptional customer experiences, collaborating, and creating using AI-powered capabilities, driving productivity with automation—and building towards future growth with today’s leading technology.   Microsoft leaders and experts will guide you through the full 2023 release wave 1 and how these advancements will help you: Expand visibility, reduce time, and enhance creativity in your departments and teams with unified, AI-powered capabilities.Empower your employees to focus on revenue-generating tasks while automating repetitive tasks.Connect people, data, and processes across your organization with modern collaboration tools.Innovate without limits using the latest in low-code development, including new GPT-powered capabilities.    Click Here to Register Today!    

Announcement image

Check out the new Power Platform Communities Front Door Experience!

We are excited to share the ‘Power Platform Communities Front Door’ experience with you!   Front Door brings together content from all the Power Platform communities into a single place for our community members, customers and low-code, no-code enthusiasts to learn, share and engage with peers, advocates, community program managers and our product team members. There are a host of features and new capabilities now available on Power Platform Communities Front Door to make content more discoverable for all power product community users which includes ForumsUser GroupsEventsCommunity highlightsCommunity by numbersLinks to all communities Users can see top discussions from across all the Power Platform communities and easily navigate to the latest or trending posts for further interaction. Additionally, they can filter to individual products as well.   Users can filter and browse the user group events from all power platform products with feature parity to existing community user group experience and added filtering capabilities.     Users can now explore user groups on the Power Platform Front Door landing page with capability to view all products in Power Platform.      Explore Power Platform Communities Front Door today. Visit Power Platform Community Front door to easily navigate to the different product communities, view a roll up of user groups, events and forums.

Announcement image

Microsoft Power Platform Conference | Registration Open | Oct. 3-5 2023

We are so excited to see you for the Microsoft Power Platform Conference in Las Vegas October 3-5 2023! But first, let's take a look back at some fun moments and the best community in tech from MPPC 2022 in Orlando, Florida.   Featuring guest speakers such as Charles Lamanna, Heather Cook, Julie Strauss, Nirav Shah, Ryan Cunningham, Sangya Singh, Stephen Siciliano, Hugo Bernier and many more.   Register today: https://www.powerplatformconf.com/   

Users online (4,598)