Management of Client Secret with OAuth 2.0 Client Credentials Grant with custom Request Body (Microsoft Graph API)

I'm trying to connect to Microsoft Graph, specifically at the moment to retrieve an access token. Please see https://docs.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token for more details.

First, I've got this to work without using a Connected System (Just a HTTP Integration). The problem I would like to overcome is that of the security of the client secret. As per https://docs.appian.com/suite/help/20.4/Integration_Object.html#encrypted-values I only have three options which is to hard code it in plain text in the integration object, to put it into an expression rule or use a connected system.

The expression rule is out as it would expose the client secret as plain text and it doesn't appear as though I can utilize the Third-Party Credentials store through the a!scsField() function. As per the Microsoft Graph documentation (first link above) I need to construct the Request Body as follows (This is the example from the documentation).

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

When I hard code the client secret into the Request Body and then export the application it doesn't appear in the Customization File, as expected, as it isn't a specific field with a specific value. Like the expression rule that feels like hard coding the client secret in plain text into an object which doesn't feel secure.

So the last option, the Connected System, I can choose the OAuth 2.0 Client Credentials Grant as the Authentication method and I can configure the Authorization section and can successfully Authorize. But then how do I utilize this in my Integration object to construct the Request Body? Is there a special Connected System domain (like test!output when setting up test cases in expression rules)? I can't find a way to take the details held in the Connected System which is secure and use them in the Integration.

Questions:

  1. Am I over doing this? Is hard coding the client secret in an Integration object secure?
  2. Is there any way to use the Third-Party Credentials Store? It seems a logical place to put this type of information even in a Connected System.
  3. Can I access the details in the Connected System within the Integration?

My aim is to construct a custom Request Body that contains the Client Secret in a secure way.

  Discussion posts and replies are publicly visible