Custom Connectors

Exported Custom Connector, where’s my client secret setting?

carinamclaesson

This post is part of a series of posts about custom connectors. In this post I’ll let you in on an issue I encountered recently. It has now been solved and might be good for you to know this was a bug and should be fixed soon (might already be ok in your region). In this post I will share my findings from that journey.

All parts of this series:

  1. Revisiting Custom Connectors
  2. Using OAuth 2.0 in Custom Connectors
  3. Unique Redirect URL for OAuth 2.0 Custom Connectors
  4. Exported Custom Connector, where’s my client secret setting?
  5. The ALM story for Custom Connectors

In my previous post, I mentioned that nowadays it is required to have a unique redirect URL for a (OAuth 2.0) custom connector. I had updated my connector to use a unique redirect URL. By clicking the check box, it was generated, all was good. I fixed with different client ids/secrets to be used for Dev, Test, Prod, along with the Redirect URLs for the different environments. So far so good. In Dev all good.

In the target environments, all bad. Connections could not be created successfully anymore. Now let’s look at the issue, the solution, and my (a bit cumbersome) way to finding out what was wrong. Always good with a bit of perspective, to know that you are not alone banging your head against a wall sometimes.

The issue

When exporting a solution containing a custom connector, the client secret setting is not included in the exported file, even though I use environment variables. The expected result would be to have it included.

Exported custom connector, connection parameters, no client secret
Where’s the client secret setting?!

The solution

This is a bug in the platform and there is a fix from Microsoft on its way. In fact, the fix has already come to my environment (fix deployed on May 3rd in my region according to Microsoft Support.). So all is good for me again.

The fix is targeted to be deployed to all regions this upcoming weekend according to Microsoft Support. So in case you are not in the European region and you experience this issue, don’t put anymore time into troubleshooting, the fix is on its way 🙂

Exported custom connector, connection parameters, with client secret
There it is!

In order to successfully export a solution and to get it to include the client secret, you might need to update the custom connector before doing the export. Just open the custom connector, go to the Security Settings, Edit, and in the client secret field, paste the content that should be in there, e.g. @environmentVariables(“myPrefix_myEnvVar”) in case your environment variable holding the client secret is called myPrefix_myEnvVar. Save and Export.

Note! My work-around until the fix was deployed was to update the client secret field of the custom connector in the target environment manually, adding @environmentVariables(“myPrefix_myEnvVar”), poining out my environment variable where the client secret is located. Ok as a work-around, but not in the long run. (Adding an unmanaged layer in the target environment etc).

Troubleshooting

You always learn a lot from troubleshooting. I sometimes think that it’s an art of its own to troubleshoot. To break down a problem into smaller pieces and step by step working your way towards solving the problem.

All was working fine with my custom connector. Happy days, information was exchanged between systems using the connector. Then an update came to the platform. I had to update the connector to use a unique Redirect URL. See my previous post. All good with that. Except for the fact that in my target environment that I had imported the updated custom connector to, I was not able to create a new connections. (Error message in the end of the connection creating wizard telling me invalid client id or similar).

Since the client secret looks like ****** in the UI when updating a connector, it was not totally obvious what was missing. I double-checked the client id and secret values set in the environment variables more than one time, I verified in the API/service portal that I was using the correct client id and secret values and that I had set the correct redirect URL.

Client secret, does it contain something or not?!


I reached out to community fellows and one of them reminded me of the fact that I could check the exported solution file to see if all looked good in there. This is something I have done many times in the past, gone to the exported file to investigate if any relevant part is missing, did not think about that with my connector at first though.

This is the content of a solution file containing a custom connector.

In the Connector folder, there are four files. The one I showed under the Issue chapter earlier in this post is the connection parameters JSON file. That is where to go and look if the client secret is missing.

I noticed it was missing in the exported file and then it was obvious why I could not create any new connections in the target environment. The connector did not know where to find the client secret (since its settings did not point out which environment variable to go and look for).

But way was it missing in the exported file?! I registered a Microsoft ticket. Turned out this was a bug and a fix was on its way. This issue have not affected all existing custom connectors. It was related to the fact that I went and updated my connector. So your custom connector might still be ok.

Good to know though that if you have issues creating new connections in a target environment. It can be because you have not updated and started to use a unique redirect URL or it can be this bug making your client secret setting in the custom connector not to be included in your exported solution.

Also note that typing in the actual client secret value in there in the custom connector would give you the same result, no client secret setting into the exported file. You need to use an environment variable. This is by-design and from security perspective.

I can see that other have experienced this issue as well, I hope that with this post, someone will save time not having to troubleshoot as much as I did.

Findings

  • There is a bug in the platform which has caused the client secret setting in a custom connector not to be included in exported solution files.
  • In Admin Center you can go and look at “Known issues”. It’s located under Help + support and you can search for e.g. Custom Connectors or something else relevant to what you are looking for.
  • In Admin Center you can look at “Known issues”, but you might not find the issue you know is about to be fixed. 😏
  • If you get in trouble in a target environment, don’t forget that you can always check the exported solution file (exported from dev before imported into the target environment). You might notice that the parts you really need are actually missing!
  • I sometimes learn a lot just by being curious and pay attention to details when managing a Microsoft Support ticket and having conversations with Microsoft.
  • Microsoft Support have really started to utilize Microsoft Copilot in their daily work, to summarize a case and get suggestions, based on internal documentation and past cases. Pretty cool!

Also see the landing page for Power Platform and Azure Logic Apps connectors.

Cover photo by Michael Dziedzic on Unsplash

Unknown's avatar

Published by carinamclaesson

5 thoughts on “Exported Custom Connector, where’s my client secret setting?”

  1. Pingback: Exported Custom Connector, where’s my client secret setting? | 365 Community
  2. Pingback: Revisiting Custom Connectors – Carina M. Claesson
  3. Pingback: Using OAuth 2.0 in Custom Connectors – Carina M. Claesson
  4. Pingback: Unique Redirect URL for OAuth 2.0 Custom Connectors – Carina M. Claesson
  5. Pingback: The ALM story for Custom Connectors – Carina M. Claesson

Leave a comment