When making HTTP requests within Auth0 flows that require secrets (like Microsoft OAuth client secrets), here are the key points to consider:
- Regarding secret visibility:
- Users with access to the Auth0 dashboard can see the HTTP request configuration in flows, including any hardcoded secrets in the body
- The actual request logs/traces don’t show the full request body by default, but it’s still not ideal to have secrets in plain text
- Current limitations:
- You’re correct that the Vault integration automatically uses secrets as Bearer tokens
- There isn’t a direct way to use Vault secrets in the request body through the UI configuration
My recommendations would be:
- Store the client secret in Auth0’s Secret Vault
- Access it programmatically in your custom action code rather than the visual flow builder
- Use environment variables for non-secret configuration values
- Consider implementing a caching mechanism for the Microsoft token to reduce the number of times you need to use the secret
If you absolutely must use the visual flow builder:
- Consider setting up a secure middleware/proxy service that handles the Microsoft OAuth flow
- The flow would then only need to call your secure endpoint without exposing secrets
Adding a diagram to explain my recommendation:
Hope this helps!