Utilizing a HTTP Vault in Body

sam.karl · January 18, 2025, 8:58pm

Since there is not integration for utilizing external email providers yet in flows. I have to do a http request first get a access token for my Microsoft email. However, I want to protect my secret key. Since the vault connection automatically attaches it as a bearer token it cannot be used.

Is there a way to utilize the vault for the body of a http request?
If I place my client secret plainly in the body can users see this request within the flow? Are there security concerns?

sumansaurav · January 19, 2025, 7:04am

When making HTTP requests within Auth0 flows that require secrets (like Microsoft OAuth client secrets), here are the key points to consider:

Regarding secret visibility:

Users with access to the Auth0 dashboard can see the HTTP request configuration in flows, including any hardcoded secrets in the body
The actual request logs/traces don’t show the full request body by default, but it’s still not ideal to have secrets in plain text

Current limitations:

You’re correct that the Vault integration automatically uses secrets as Bearer tokens
There isn’t a direct way to use Vault secrets in the request body through the UI configuration

My recommendations would be:

Store the client secret in Auth0’s Secret Vault
Access it programmatically in your custom action code rather than the visual flow builder
Use environment variables for non-secret configuration values
Consider implementing a caching mechanism for the Microsoft token to reduce the number of times you need to use the secret

If you absolutely must use the visual flow builder:

Consider setting up a secure middleware/proxy service that handles the Microsoft OAuth flow
The flow would then only need to call your secure endpoint without exposing secrets

Adding a diagram to explain my recommendation:

Hope this helps!

sam.karl · January 19, 2025, 7:02pm

Thanks Suman,

I little more background of why I am using two HTTP requests in my forms flow is that I am doing a OTP for new users only. I like your idea of creating the bearer token in the actions using the secrets. I could then pass this token down to the forms flow where I create the OTP and send it via the MS graph API.

I could possibly do a management API to modify the the vault bearer token from actions which may work as well. I’ll have to look into this, but right now since this is a one time action for new users, it’s working well enough.

My feature request at this time would be to have Management API to send a OTP email using a template. Then I could just create the code in flows or actions and then send it using the API and then collect and verify all while using my configured email provider.

system · March 11, 2025, 7:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use API Key from vault in HTTP Request in Flow Get Help apis , application	6	137	December 6, 2024
Creating Vault connection for flow that uses Management API Get Help management-api , actions-management-api	2	303	September 5, 2024
Call management API from Flows Get Help management-api , users-by-email	5	53	January 24, 2025
Call REST API within Auth0 forms and flows Get Help login-experience , new-universal-login-experience	3	229	January 20, 2025
Using the management API in flow actions Get Help auth0 , actions	6	8254	April 24, 2021

Utilizing a HTTP Vault in Body

Related topics