Utilizing a HTTP Vault in Body

Help
,
1

Since there is not integration for utilizing external email providers yet in flows. I have to do a http request first get a access token for my Microsoft email. However, I want to protect my secret key. Since the vault connection automatically attaches it as a bearer token it cannot be used.

Is there a way to utilize the vault for the body of a http request?
If I place my client secret plainly in the body can users see this request within the flow? Are there security concerns?

2

When making HTTP requests within Auth0 flows that require secrets (like Microsoft OAuth client secrets), here are the key points to consider:

  1. Regarding secret visibility:
  • Users with access to the Auth0 dashboard can see the HTTP request configuration in flows, including any hardcoded secrets in the body
  • The actual request logs/traces don’t show the full request body by default, but it’s still not ideal to have secrets in plain text
  1. Current limitations:
  • You’re correct that the Vault integration automatically uses secrets as Bearer tokens
  • There isn’t a direct way to use Vault secrets in the request body through the UI configuration

My recommendations would be:

  1. Store the client secret in Auth0’s Secret Vault
  2. Access it programmatically in your custom action code rather than the visual flow builder
  3. Use environment variables for non-secret configuration values
  4. Consider implementing a caching mechanism for the Microsoft token to reduce the number of times you need to use the secret

If you absolutely must use the visual flow builder:

  • Consider setting up a secure middleware/proxy service that handles the Microsoft OAuth flow
  • The flow would then only need to call your secure endpoint without exposing secrets

Adding a diagram to explain my recommendation:

Screenshot 2025-01-19 at 2.03.18 AM
Screenshot 2025-01-19 at 2.03.18 AM1331×1130 71.9 KB

Hope this helps!

3

Thanks Suman,

I little more background of why I am using two HTTP requests in my forms flow is that I am doing a OTP for new users only. I like your idea of creating the bearer token in the actions using the secrets. I could then pass this token down to the forms flow where I create the OTP and send it via the MS graph API.

I could possibly do a management API to modify the the vault bearer token from actions which may work as well. I’ll have to look into this, but right now since this is a one time action for new users, it’s working well enough.

My feature request at this time would be to have Management API to send a OTP email using a template. Then I could just create the code in flows or actions and then send it using the API and then collect and verify all while using my configured email provider.

1 Like