Bug report: flow export -f json includes sensitive connector web token (JWT)

[daviewales]

Priority

(Medium) I'm annoyed but I'll live

Description

Power Automate flows exported with m365 flow export -f json include authentication tokens (JWTs) for associated connectors.

These appear within an object called connectionReferences. Each connection contains an authentication section, which in turn contains a parameter section. The parameter is a base64 encoded JWT.

I'm not certain, but I suspect that this JWT is used to authenticate the flow to the connector and could potentially be used to gain unauthorised access.

The connector authentication information is not included in the Zip export.

Steps to reproduce

Export a Power Automate flow as JSON with m365 flow export -f json.

Expected results

The sensitive connection authentication token should not appear in the output.

Actual results

The connection authentication token (JWT) appears in the output under

.template.resources[0].properties.connectionReferences

Use this jq command to quickly filter to it:

jq '.template.resources[0].properties.connectionReferences' name_of_exported_flow.json

(Assuming only a single list item under .template.resources, but adjust as required.)

Diagnostics

No response

CLI for Microsoft 365 version

v9.1.0

nodejs version

bun.sh: 1.1.20

Operating system (environment)

Windows

Shell

PowerShell

cli doctor

No response

Additional Info

No response

[waldekmastykarz]

Thank you for bringing this up to our attention. Have you checked by any chance if removing the token altogether still allows you to import the exported flow?

[daviewales]

I've exported a flow as a Zip using the front end, and it does not contain the token.

It appears that m365 flow export -f zip produces something similar to what you get when you export as Zip from the front end.
But -f json produces something different.

Structure of Zip from front end:

├── Microsoft.Flow
│   └── flows
│       ├── b02395d2-c829-4226-b8bb-93eef692af21
│       │   ├── apisMap.json
│       │   ├── connectionsMap.json
│       │   └── definition.json
│       └── manifest.json
└── manifest.json

Structure of Zip from m365 flow export -f zip:

├── Microsoft.Flow
│   └── flows
│       ├── b02395d2-c829-4226-b8bb-93eef692af21
│       │   ├── apisMap.json
│       │   ├── connectionsMap.json
│       │   └── definition.json
│       └── manifest.json
└── manifest.json

Structure of export from m365 flow export -f json:

example.json

There connectionReferences section in the Zip export doesn't include the authentication tokens, and it can be re-imported.

[MartinM85]

What's not clear from the doc, only from the implementation, the command m365 flow export -f json returns ARM template of the flow.

You can inspect the auth token on jwt.io, but it should be a template of the token without the scope or any other confidential data.

https://learn.microsoft.com/en-us/azure/templates/microsoft.logic/workflows?pivots=deployment-language-arm-template#workflowproperties-1

[waldekmastykarz]

You can inspect the auth token on jwt.io, but it should be a template of the token without the scope or any other confidential data.

Ah, so while it looks like a token, it's not an actual token that you could use for anything! If that's the thing, let's update our docs to clarify this. Great find @MartinM85!

[daviewales]

Thanks, that's helpful. Good to know it's an ARM template too. In my case I was looking for a JSON version of the Zip export, so I've resorted to just exporting as Zip, then extracting.