You’re offline. This is a read only version of the page.
We want to start investing a lot in custom connectors inside our Power Platform to be used inside Power Apps & Power Automate. but we have a concern if using those custom connectors which will integrate with external systems can pose any security holes.
Currently we will be using those 3 security types (Basic, API Key & OAuthn 2.0)
we would assume that ONLY if the user has the username/password then the user should be able to integrate with the external API using the username/password (in case the custom connector is using the basic authentication). Same applies the API key, so ONLY if the user has the API key then the user should be able to integrate with the external system (in case the custom connector is using the API Key authentication). And same thing applies to the OAuthn 2.0, so only if the user has the permission on his/her username the user should be able to use the external API??
so are our above assumptions correct? or users will be able to use existing connectors and connect to the external APIs? for example let take this scenario; ManagerABC who have the API key create a power automate flow or Power Apps and define the API key for the custom connector. then can any user creates a new Power automate or power app and reuse the custom connection and get to the external API even if the user should not have the permission to do so (they do not have the API key for example)?
Thanks
The authentication is at the API you are connecting to, not the authentication for the custom connector itself. The users you shared the connector can use this connector. So you could share the connector ONLY to users that allowed to use the API.
Another way is to share the connector to everyone, and don't hardcode the api key in the custom connector itself, but put it as parameter to the custom connector. So only users who know the api key can use the connector.
Share
Report
3,502
All responses (
Answers (
