Reputation: 2757
Must MS Teams workflow URL be kept secure?
I've created a Microsoft Teams workflow to post a message when webhook request is received, following this documentation.
The generated workflow URL contains a sig parameter that acts as an embedded bearer token, according to this Microsoft answer.
My question is: do I need to store this URL somewhere safe (i. e. a Key Vault), or is it public and can be safely stored in the git repository?
Upvotes: 1
Views: 41
Answers (1)
Reputation: 76905
Bearer tokens are secrets.
Bearer Token. A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of-possession).
Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.
Read more here.
So, now that we understand that the reason for the bearer token to exist is to access resources without demonstrating possession of a cryptographic key. So if you leak your bearer token out in a GitHub repo, then anyone having access to it (like a fired co-worker holding a grudge), especially if it is not even private can get the benefits of possessing the cryptographic resources without ever demonstrating it.
In short, this would make your cryptographic key optional. Which is something you do not want.
EDIT
As Lelio Faieta pointed out, we do need to differentiate on a case-by-case basis. A one-time token - as he pointed out - with expiry (and refresh tokens, preferably) is lesser of a concern than a token that lives forever. He kindly asked me to add my response from the comment section as part of the answer to make sure it's clear that this is a more complex topic than a one-key-fits-all-holes scenario.
It is less of a concern in that case (the one mentioned in the previous paragraph), but it's still a concern. Indeed, one-time tokens with short expiration are very helpful, however, here we are being asked about a Microsoft sig and the asker is wondering whether it can be versioned inside GitHub. The answer is of course that it should never end up there and preferably it should be short-lived and one-time if it's possible for Microsoft sig.
Upvotes: 1
Related Questions
- How to Share External IDP SSO Tokens from a Tab with Bot Messages in Microsoft Teams?
- Secure hash and salt for PHP passwords
- If you can decode JWT, how are they secure?
- How do I store a 3rd party access token in a Microsoft Teams message extension application?
- How to secure database passwords in PHP?
- How to show the profile image/photo of a user in Teams tab?
- Unable to post to a test connector's webhook url