title | description | author | contributors | ms.subservice | ms.topic | ms.date | ms.author | ms.reviewer | ms.custom | ms.collection | search.audienceType | |||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Add OAuth authentication for HTTP request triggers |
Learn about authentication parameters for HTTP request triggers. |
rakrish84 |
|
cloud-flow |
conceptual |
10/16/2023 |
rakrish |
angieandrews |
bap-template |
bap-ai-copilot |
|
You can use the When an HTTP request is received trigger to trigger workflows by sending a request to an HTTP request to the endpoint generated from the flow. You can restrict what users can trigger in this workflow by ensuring that only authenticated users can trigger this workflow.
Note
This feature is being rolled out and might not be available in your region yet.
The trigger has three modes for the authentication parameter:
- Any user in my tenant: Ensures that any user in the same tenant as the maker is able to trigger this workflow. This is the default setting for any new flows.
- Specific users in my tenant: Ensures that only specific user IDs from the same tenant can only trigger this workflow. You can provide email addresses of the specific users in the Allowed users field. You can also provide object IDs of service principal users if you intend to use this flow to be triggered only by SPN (service principal name) users.
- Anyone: Legacy setting for this trigger that has open access without any additional authentication support. Anyone can trigger this workflow if they have access to the URL and the associated JSON schema.
Note
If you select the Specific users in my tenant option and leave the allowed users blank, the authentication scope is limited to the tenant. This means any user in the tenant can trigger this workflow.
If you're restricting the workflow to be triggered only by authenticated users, you need to ensure that the HTTP request contains the correct claims. The required claims are in the following list:
"aud":
<audience of the flow service>. This is where you find the audience values across different clouds. More information: Audience values"iss":
<Issuer of the requestor>"tid":
<tenant id of the requestor>"oid":
<object id of the requestor>. Optional. This field is required only if you have configured the trigger to restrict to specific users within the tenant.
You can check the claims of your request by pasting the bearer token within the authorization header at https://jwt.io. For more information on extracting the tokens programmatically, go to the Microsoft Authentication Library (MSAL).
If you are to manually fetch the OAuth token from the token endpoint at login.microsoftonline.com or use any other tools or libraries to do so, please ensure you will be using an Entra ID application registration having the delegate permission Power Automate / User set on it. In your OAuth token request, you must use the scope https://service.flow.microsoft.com//User
. Note the double slashes here in front of user. It will not work with a single slash.
The following table shows the audience values across different clouds:
Cloud type | Audience value |
---|---|
Public cloud | https://service.flow.microsoft.com/ |
Government Community Cloud (GCC) | https://gov.service.flow.microsoft.us/ |
Government Community Cloud High (GCCH) | https://high.service.flow.microsoft.us/ |
China | https://service.powerautomate.cn/ |
Department of Defense (DOD) | https://service.flow.appsplatform.us/ |
Depending on your designer version, parameters appear in different locations.
[!INCLUDEcopilot-designer-note]
The parameter shows on the card.
:::image type="content" source="./media/oauth-authentication/classic-oauth-parameter.png" alt-text="Screenshot of who can trigger the cloud flow in the classic designer.":::
The parameter shows on the configuration panel to the left.
:::image type="content" source="./media/oauth-authentication/v3-oauth-parameter.png" alt-text="Screenshot of who can trigger the cloud flow in the designer with Copilot.":::