Power Platform Community Forum Thread Details

We are planning a PowerPlatform to SAP connection and are wondering about the security of user authentication and credential / user information handover.

The goal is to request information from an onpremise SAP database in the context of the user of the PowerApp.
The BTP is accessed with administrative user credentials.

We have the following scenario planned:

Handling the green "ZToken" is done with a separate flow "BTP Token request flow", so we do not have to store basic authentication information with in the "Main Flow" that requests the data from SAP.

Obviously the setup with the "BTP Token request Flow" and storage in AKV is not 100% optimal, but we are fine with that.

The main challenge we are facing / have questions about is the yellow text. How do we safely hand over the user information, of the user that is using the PowerApp, to the BTP, that can then use that user information within an RFC?

We have identified the following security risks - please add-on if you think there are others:

Can a user, that is using the PowerApp within a browser, somehow intercept the handover of user data from the PowerApp to the "Main Flow"?
Important note: we are not passing the user information from PowerApp to Main Flow with variable but use the default "PowerApps"-Trigger, that gets the triggering user information via Request Header.
Assuming the handover / connection of data from step 1 is secure - Can a user then somehow intercept the traffic from the Main Flow to the BTP, to inject false user information, that would then be used in the RFC?

I think those are the two main concerns and we would appreciate any opinions.

Categories:

Power Apps Pro Dev & ISV

Hello,

I hope you don't mind if I clarify. When you say Main Flow, are you referring to a Power Automate Flow? or are you saying from the Actual App, you are using an HTTP(S) Connector to talk to the Main Flow (whatever that is).

If so

For #1: Technically if you are sending unencrypted headers then yes, they might even just be able to use the Monitor (most likely) and or any other Web Traffic capture program to do it. I'd have to try it, to be 100%, but actually intercept and change it no, however if you are using an HTTP Triggered Flow, you just have to protect it so it can only talk to the back end services (power platform) and your good unless someone gets in and get hack into your back end

For #2, this one is much less likely because the user may not even be running the flow (again if your talking about a Power Automate flow). They cannot do anything to it, see its run etc in the UI so no... you could be fine here.

I'd have to review directly with you #1 to be 100%

Cheers
--------------------------------------------------------------------------------
If I had answered your question, please mark your post as Solved
If you like my post please give it a thumbs up
Thanks
Michael Gernaey MCT | MCSE | Expert | Ex-Microsoft
https://gernaeysoftware.com