The HTTP POST URL of the ‘When an HTTP request is received’ trigger in Power Automate Flows is a public endpoint, so you need to secure it.
There are several options to secure the receiving Flow for Actionable Messages requests:

  1. Enable Schema validation in the settings of the trigger
  2. Add Trigger conditions based on Headers keys
  3. Compare correlationId from Headers with the original one

The first option is easy to set and will validate the request body against the schema provided. In case there is a mismatch, HTTP 400 will be returned. This will just check the json payload and not the caller.

The second option is to add trigger conditions to check the Headers keys value.
For example the ‘appid’ from the bearer token: The ID of the application which issues the token. The value should always be 48af08dc-f6d2-435f-b2a7-069abd99c086. The Web service should reject the token and the request if the value doesn’t match.
So I added a trigger condition to do this check:
@equals(json(decodeBase64(concat(split(triggerOutputs()[‘headers’]?[‘Action-Authorization’],’.’)?[1],’==’)))?[‘appid’],’48af08dc-f6d2-435f-b2a7-069abd99c086′)

You could add a check for the ‘iss’ and ‘aud’ key as well.

The third option is to create a guid in your Flow and save it to CDS, and use it to set the value for the property ‘correlationId’ in the JSON of the Actionable Message.

We recommend that when sending an actionable card, your service should set and log a unique UUID in this property. When the user invokes an Action.Http action on the card, Office 365 sends the Card-Correlation-Id and Action-Request-Id headers in the POST request to your service. Card-Correlation-Id contains the same value as the correlationId property in the card.

Outlook-specific Adaptive Card properties and features

In this way you can get the correlationId from the Headers key and compare it with the saved value:
@equals(triggerOutputs()[‘headers’]?[‘Card-Correlation-Id’],'{Guid}’)

Resources:
Security requirements for actionable messages in Office 365
Bearer Token
Additional properties on the AdaptiveCard type

Thank you John Liu for helping me with adding the ‘==’ to get de decoding right.

The post Secure the receiving Flow for Actionable Messages requests appeared first on There's Something About Dynamics 365.