cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
JasonAlmeida
Level: Powered On

PCF external services API Key/Secrets security

Hi All,

 

*apologies if this has been discussed already*

 

We've seen a few PCF controls that utilise extrernal services and APIs. Skimming through some of these controls it seems like the apporach tends to be via a config parameter that takes a key/secret/url or embedded in the .ts file directly.

This is obviously a concern from a security point of view as the key could be easily accessed via developer tools or the custom control configuration. My questions:

  • Is there a better approach to defining and storing keys/secrets for PCFs?
  • Could we maybe have a secure property type that can handle this? (totally open to other suggestions btw)

Some other ideas that went through my head:

  • config entity that is queried - but this tightly couples a control to an entity
  • storing in keyvault - but this is subject to the same secret config issue and may have a performance impact

 

cheers

Jason

3 REPLIES 3
Community Support Team
Community Support Team

Re: PCF external services API Key/Secrets security

Hi @JasonAlmeida ,

Do you want to encrypt the services API Key/Secrets security within your .ts config file?

 

I afraid that there is no direc way to achieve your needs currently in PowerApps. As an alternative solution, you could consider add a RSA Encrypt function in your .ts config file to encrypt your services API Key/Secrets security. Then when you send request to your external service, encrypt the services API Key/Secrets security as query parameter within the request.

 

Within your external service, you need also use same RSA Decrypt method to decrypt the encrypted services API Key/Secrets security. Please check and see if the following article would help in your scenario:

https://stackoverflow.com/questions/46642143/rsa-encrypt-decrypt-in-typescript

 

If you would like to get further help in this issue, please consider submit an assisted support ticket through the following link:

https://powerapps.microsoft.com/en-us/support/pro

 

Best regards,

Community Support Team _ Kris Dai
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
PowerApps Staff HemantG
PowerApps Staff

Re: PCF external services API Key/Secrets security


@JasonAlmeida wrote:

Hi All,

 

*apologies if this has been discussed already*

 

We've seen a few PCF controls that utilise extrernal services and APIs. Skimming through some of these controls it seems like the apporach tends to be via a config parameter that takes a key/secret/url or embedded in the .ts file directly.

This is obviously a concern from a security point of view as the key could be easily accessed via developer tools or the custom control configuration. My questions:

  • Is there a better approach to defining and storing keys/secrets for PCFs?
  • Could we maybe have a secure property type that can handle this? (totally open to other suggestions btw)

Some other ideas that went through my head:

  • config entity that is queried - but this tightly couples a control to an entity
  • storing in keyvault - but this is subject to the same secret config issue and may have a performance impact

 

cheers

Jason


PCF is the client side framework and hence any requests made from the client will have the keys exposed to the end user via browser. Low impact keys which can be shared with the users (as they are autheticated PowerApps users) can be added via PCF properties which customizers add. For the ones which need to be shielded from end users you can use server side plugins or connectors on the canvas apps to manage the connection and make the request.  KeyValut can also be used on the server side if there is requirement to not store creds on the server. Configuration entity is another option for low impact keys. For performance the shortlived access tokens can be cached in the using setControlStateAPI.

PCF controls do not offer authentication/SSO yet and we plan to add limited AAD auth support for embedded iFrames in next semester.  

 

thanks,

Hemant 

ManishJain
Level: Powered On

Re: PCF external services API Key/Secrets security

The better idea would be to use Actions and call them from your PCF control normally the way you call them from JS. 

 

Please refer to my control : https://github.com/mkcgphy/Azure-Maps-Get-Search-Address-TypeAhead as reference.

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

sixthImage

Power Platform World Tour

Find out where you can attend!

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

Top Kudoed Authors
Users Online
Currently online: 151 members 5,394 guests
Please welcome our newest community members: