Priority

(Medium) I'm annoyed but I'll live

Description

Power Automate flows exported with m365 flow export -f json include authentication tokens (JWTs) for associated connectors.

These appear within an object called connectionReferences. Each connection contains an authentication section, which in turn contains a parameter section. The parameter is a base64 encoded JWT.

I'm not certain, but I suspect that this JWT is used to authenticate the flow to the connector and could potentially be used to gain unauthorised access.

The connector authentication information is not included in the Zip export.

Steps to reproduce

Export a Power Automate flow as JSON with m365 flow export -f json.

Expected results

The sensitive connection authentication token should not appear in the output.

Actual results

The connection authentication token (JWT) appears in the output under

.template.resources[0].properties.connectionReferences

Use this jq command to quickly filter to it:

jq '.template.resources[0].properties.connectionReferences' name_of_exported_flow.json

(Assuming only a single list item under .template.resources, but adjust as required.)

Diagnostics

No response

CLI for Microsoft 365 version

v9.1.0

nodejs version

bun.sh: 1.1.20

Operating system (environment)

Windows

Shell

PowerShell

cli doctor

No response

Additional Info

No response