A couple years ago, I requested that webhooks support Basic authentication, at a minimum:
That was implemented, thank you again.
Our platform is making another upgrade, this time to enable OAuth authentication for our inbound webhooks. So, for example, when doing the webhook registration call:
curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer 8e600a4c-0027-4a9a-9bda-dc8d5c90350d" -d '{ "id":"79667c29-bd07-428d-9c29-23e18b023978", "externalId" : "external company ID", "url":"https://www.mydomain.com/another_webhook_new_url","eventTypes":[{"id":"1"},{"id":"2"}]}' https://api.rach.io/1/public/notification/webhook
I second this request. Passing the bearer token in the URL via the access_token poses a security risk… would be much better to have the option to send it in the header. I like the suggested implementation by @FlyingDiver.
What security risk are you referring to @ajostler? Full URL over https is encrypted, in a similar way a header would be. If you rely on plain http, than it’s just as venerable as a header would be.
For systems which cannot accept token via URL, then a custom header support would be desired, but if yours accepts it over URL, you are all set, as long as you are using a standard https encryption.
I don’t think there’s any way to provide a token via URL. There’s no standard syntax (that I know of) for embedding a Bearer token in the URL, as there is for username:password.
Thanks for the response, @Gene. I think you’re right about the security assuming the use of HTTPS. At first I didn’t think my system (Smartthings) allowed for authorization via URL, which is why I was hunting for a way to provide it in the header in the Rachio Webhook. However, turns out I had an error somewhere else, and I’ve now got it all working!
@FlyingDiver, the way to pass the token via URL is with the “access_token” key. Your URL will end up looking something like this.
@Gene - I think @ajostler was confused about my specific request. This is NOT about authenticating to the Rachio servers, which the access_token in the URL seems to satisfy. I’m specifically talking about providing authentication information in the webhook, for authenticating to the webhook recipient. I can do that now with username:password in the webhook URL submitted to the Rachio servers. But we’re trying to migrate from using username:password to revokable tokens, so I need something that will generate a “Bearer” type Authentication header. Like the curl --oauth2-bearer option does.
I haven’t had much luck finding documentation on the REST standard for including “access_token” in the URL. However, I believe that it’s a fairly common practice. This is where I originally found the suggestion to use the “access_token” key.
And here are a few examples of systems allowing for authentication via URL with the use of the “access_token” key.
As @Gene mentioned, not all systems accept the token via URL (which might be why you’re not having much luck). However, for me, it worked great. I agree with your original post, though, that it would be great to include the option to add a bearer token in the header.
