-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug report: flow export -f json
includes sensitive connector web token (JWT)
#6418
Comments
Thank you for bringing this up to our attention. Have you checked by any chance if removing the token altogether still allows you to import the exported flow? |
I've exported a flow as a Zip using the front end, and it does not contain the token. It appears that Structure of Zip from front end:
Structure of Zip from
Structure of export from
There |
What's not clear from the doc, only from the implementation, the command You can inspect the auth token on jwt.io, but it should be a template of the token without the scope or any other confidential data. |
Ah, so while it looks like a token, it's not an actual token that you could use for anything! If that's the thing, let's update our docs to clarify this. Great find @MartinM85! |
Thanks, that's helpful. Good to know it's an ARM template too. In my case I was looking for a JSON version of the Zip export, so I've resorted to just exporting as Zip, then extracting. |
Priority
(Medium) I'm annoyed but I'll live
Description
Power Automate flows exported with
m365 flow export -f json
include authentication tokens (JWTs) for associated connectors.These appear within an object called
connectionReferences
. Each connection contains anauthentication
section, which in turn contains aparameter
section. Theparameter
is a base64 encoded JWT.I'm not certain, but I suspect that this JWT is used to authenticate the flow to the connector and could potentially be used to gain unauthorised access.
The connector authentication information is not included in the Zip export.
Steps to reproduce
Export a Power Automate flow as JSON with
m365 flow export -f json
.Expected results
The sensitive connection authentication token should not appear in the output.
Actual results
The connection authentication token (JWT) appears in the output under
Use this
jq
command to quickly filter to it:(Assuming only a single list item under
.template.resources
, but adjust as required.)Diagnostics
No response
CLI for Microsoft 365 version
v9.1.0
nodejs version
bun.sh: 1.1.20
Operating system (environment)
Windows
Shell
PowerShell
cli doctor
No response
Additional Info
No response
The text was updated successfully, but these errors were encountered: