Unanswered

Hot to restrict access for HTTP Request Trigger

(0) Share

Report

Posted on by ID3

Dear Experts,
I have simple flow based on "When a HTTP request is received" trigger.

Using the link from the trigger, anyone can sent HTTP request and get response from my Flow. And this is really the problem.

How I can restrict possibility to get response from my flow for anyone except certain users?

(Note: I don't want to use some kind of Passwords which I can provide because I can't control that someone of my approved users will not share this password with someone else, and I will not be able determine who exactly use this password - the user approved by me or not.)

Sincerely ID3

Categories:

General topics

I have the same question (0)

All responses (16)

Answers (0)

Expiscornovus 33,828 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!
Hi @ID3,

I don't know if this will work for you situation, but you might be able to check the user-agent value of the POST request and add a trigger condition to your When a HTTP request is received trigger action.

Below is an example of a trigger condition which only allows requests from other Power Automate flows and for instance not Windows PowerShell.

@startswith(triggeroutputs()['headers']['user-agent'], 'azure-logic-apps/1.0')

Was this reply helpful? Yes No
ID3 6 on at

Like (0)

Report
Copy link

Link copied!

Dear Expiscornovus,
I agree with common idea of your approach - the checking of triggeroutputs properties. Now need to understand how to get information about the user who is owner of application (like ms flow) or who launch some application (like Excel) which sent the request in such format to be able to compare it with predefined list inside the Flow.

In my case all permitted to access to my Flow users are members of Office 365 groups.
Maybe it is useful information for the solution finding.

One more fact - it is quite enough to restrict the access only for HTTP request been sent from Power Query (Excel). And perhaps in this case the Power Query "Access Web content" options can be used.

However, I would like to highlight that I will be glad for any ideas about other possible approaches to solve the main post issue too.

Sincerely ID3

Was this reply helpful? Yes No
Paulie78 8,422 Moderator on at

Like (1)

Report
Copy link

Link copied!

I actually wrote an article on how to secure the HTTP trigger, check it out and see if it of use to you:

Secure the HTTP Request Trigger in Microsoft Power Automate

Was this reply helpful? Yes No
Expiscornovus 33,828 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!
Hi @ID3,

It is still a workaround based on the user agent string, but you can probably use this trigger condition to restrict only to Power Query (web.contents source)

@startswith(triggeroutputs()['headers']['user-agent'], 'Microsoft.Data.Mashup')

@Paulie78, nice, very useful article 🙂

However, I think ID3 wanted to avoid using a key or a password like stated in the opening post.

Was this reply helpful? Yes No
Paulie78 8,422 Moderator on at

Like (0)

Report
Copy link

Link copied!

@Expiscornovus - That will teach me not to read the question properly! Thank you for putting me straight!

Was this reply helpful? Yes No
ID3 6 on at

Like (0)

Report
Copy link

Link copied!

Dear @Paulie78
The article about HTTP Request Secure is realy nice. It means I am not alone who met the same problem and it is worth to work it out more.

Dear @Expiscornovus
Your suggested Microsoft.Data.Mashup check is a good, and I think should be used in any case.
In case of PowerQuery using with Windows or Organizational account credentials, does it mean that the data about user account (login/user name) can be taken from the trigger/Request?

Is there any MS Services can provide information about all MS Flow transactions with more details than I can see in Power Automate Runs History?

Sincerely ID3

Was this reply helpful? Yes No
Expiscornovus 33,828 Most Valuable Professional on at

Like (0)

Report
Copy link

Link copied!
Hi @ID3,

As far as I could tell it wasn't showing any data about the account which was used.

Below is an example of the raw input of the received HTTP request when I was testing it with Power Query in Excel.

{ "headers": { "Accept": "*/*", "Accept-Encoding": "gzip,deflate", "Expect": "100-continue", "Host": "prod-21.uksouth.logic.azure.com", "User-Agent": "Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=304225)", "Content-Length": "2", "Content-Type": "application/json" }, "body": {} }

Was this reply helpful? Yes No
ID3 6 on at

Like (0)

Report
Copy link

Link copied!
Dear @Expiscornovus,
Here is what I have and waht I used.
Receiver:

And here is the data.
{ "variables": [ { "name": "Trigger", "type": "String", "value": "{\"name\":\"manual\",\"inputs\":{\"method\":\"POST\"},\"outputs\":{\"headers\":{\"Connection\":\"Keep-Alive\",\"Accept\":\"application/json\",\"Accept-Encoding\":\"gzip,deflate\",\"Expect\":\"100-continue\",\"Host\":\"prod-96.westeurope.logic.azure.com\",\"User-Agent\":\"Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=3xxx5)\",\"Content-Length\":\"39\",\"Content-Type\":\"application/json\"},\"body\":{\"Type\":\"MyData\",\"Param\":\"MyData\"}},\"startTime\":\"2021-04-24T09:25:56.997722Z\",\"endTime\":\"2021-04-24T09:25:56.997722Z\",\"trackingId\":\"4xxxxxxb-5xxx-4xxe-xxxxxxxx1\",\"clientTrackingId\":\"0XXXXXXXXXXXXXXXXXXXXXXXXXX4\",\"originHistoryName\":\"0XXXXXXXXXXXXXXXXXXXXXXX\",\"status\":\"Succeeded\"}{\"Type\":\"MyData\",\"Param\":\"MyData\"}" } ] }
For sending I used this one request
let urlApi="https://prod-96.westeurope.logic.......", Request = Json.Document(Web.Contents(urlApi, [ Headers=[#"Accept"="application/json", #"content-type" = "application/json"], Content=Text.ToBinary("{""Type"": ""SiteInfo"", ""Param"": """& Site_Param &"""}")])), #"Converted to Table" = Record.ToTable(Request), #"Renamed Columns" = Table.RenameColumns(#"Converted to Table",{{"Name", "Parameter"}}), #"Changed Type" = Table.TransformColumnTypes(#"Renamed Columns",{{"Value", type text}, {"Parameter", type text}}) in #"Changed Type"
With this permissions:
It is pretty interesting why you have not "originHistoryName" and "clientTrackingId" but I have. Did you use POST or GET?
But however, I don't know are these values can help with my problem or not. ...

The problem is still not solved and important.

Sincerely ID3.

Was this reply helpful? Yes No
ZaffaSte on at

Like (0)

Report
Copy link

Link copied!

Hi Expiscornovus,
I've got a question for you, is there any way to send back an error such as 400 Bad Request or 401 Forbidden if the request doesn't satisfay the conditional trigger?
A the moment if I call the https endpoint I receive a standar "202 Accepted" code...

Thank you,
Stefano.

Was this reply helpful? Yes No
Expiscornovus 33,828 Most Valuable Professional on at

Like (1)

Report
Copy link

Link copied!

Hi @ZaffaSte,

You can remove that trigger condition and use a condition action instead. Use that startswith expression in there and use a response action to send back a HTTP 400.

https://docs.microsoft.com/en-us/azure/connectors/connectors-native-reqres#add-a-response-action

Below is an example of that.

Was this reply helpful? Yes No