pnp
Bug report: `flow export -f json` includes sensitive connector web token (JWT)
Priority
(Medium) I'm annoyed but I'll live
Description
Power Automate flows exported with m365 flow export -f json include authentication tokens (JWTs) for associated connectors.
These appear within an object called connectionReferences. Each connection contains an authentication section, which in turn contains a parameter section. The parameter is a base64 encoded JWT.
I'm not certain, but I suspect that this JWT is used to authenticate the flow to the connector and could potentially be used to gain unauthorised access.
The connector authentication information is not included in the Zip export.
Steps to reproduce
Export a Power Automate flow as JSON with m365 flow export -f json.
Expected results
The sensitive connection authentication token should not appear in the output.
Actual results
The connection authentication token (JWT) appears in the output under
.template.resources[0].properties.connectionReferences
Use this jq command to quickly filter to it:
jq '.template.resources[0].properties.connectionReferences' name_of_exported_flow.json
(Assuming only a single list item under .template.resources, but adjust as required.)
Diagnostics
No response
CLI for Microsoft 365 version
v9.1.0
nodejs version
bun.sh: 1.1.20
Operating system (environment)
Windows
Shell
PowerShell
cli doctor
No response
Additional Info
No response
Thank you for bringing this up to our attention. Have you checked by any chance if removing the token altogether still allows you to import the exported flow?
I've exported a flow as a Zip using the front end, and it does not contain the token.
It appears that m365 flow export -f zip produces something similar to what you get when you export as Zip from the front end.
But -f json produces something different.
Structure of Zip from front end:
├── Microsoft.Flow
│ └── flows
│ ├── b02395d2-c829-4226-b8bb-93eef692af21
│ │ ├── apisMap.json
│ │ ├── connectionsMap.json
│ │ └── definition.json
│ └── manifest.json
└── manifest.json
Structure of Zip from m365 flow export -f zip:
├── Microsoft.Flow
│ └── flows
│ ├── b02395d2-c829-4226-b8bb-93eef692af21
│ │ ├── apisMap.json
│ │ ├── connectionsMap.json
│ │ └── definition.json
│ └── manifest.json
└── manifest.json
Structure of export from m365 flow export -f json:
example.json
There connectionReferences section in the Zip export doesn't include the authentication tokens, and it can be re-imported.
What's not clear from the doc, only from the implementation, the command m365 flow export -f json returns ARM template of the flow.
You can inspect the auth token on jwt.io, but it should be a template of the token without the scope or any other confidential data.
https://learn.microsoft.com/en-us/azure/templates/microsoft.logic/workflows?pivots=deployment-language-arm-template#workflowproperties-1
You can inspect the auth token on jwt.io, but it should be a template of the token without the scope or any other confidential data.
Ah, so while it looks like a token, it's not an actual token that you could use for anything! If that's the thing, let's update our docs to clarify this. Great find @MartinM85!
Thanks, that's helpful. Good to know it's an ARM template too. In my case I was looking for a JSON version of the Zip export, so I've resorted to just exporting as Zip, then extracting.