Adobe Developer

oliverf82757722 · 9/22/20

I have been asked to explore Project Firefly and various uses of it and I'm struggling to understand how to authenticate this call.

I'm only at the very beginning of exploration so I have probably missed something and was hoping someone could point me in the right direction.

I have created a new generic action (eventually this will connect with Adobe Target but just keeping it simple for now). This new action will be invoked by a webhook from a CMS system that we use. When new content is published it will call this action's URL and the action will handle the request. I just don't know how to authenticate the webhook.

In postman I can put in my Bearer token (which I get from `aio login`) but obviously I can't put that into the webhook as it will change over time. How should I go about creating an action that can be authenticated from an external service like this?

The only options I have from our CMS is either a basic auth username/password or values to put into custom headers.

Thanks for any help you can provide.

Urs_Boller · 9/22/20

I would create a service account for your external tool. basically the external tool fetches a new access token (bearer token) before calling the firefly action. read more about service accounts here: https://www.adobe.io/authentication/auth-methods.html#!AdobeDocs/adobeio-auth/master/JWT/JWT.md

View solution in original post

Urs_Boller · 9/22/20

I would create a service account for your external tool. basically the external tool fetches a new access token (bearer token) before calling the firefly action. read more about service accounts here: https://www.adobe.io/authentication/auth-methods.html#!AdobeDocs/adobeio-auth/master/JWT/JWT.md

oliverf82757722 · 9/22/20

Ah, I had read about that but was hoping for a more passive way of authenticating the call. I think what I'll have to do is to run the webhook to another service (something we already do) and then authenticate my own service and use that to call the Firefly action. Thanks I'll explore this as a possible way of working.

Urs_Boller · 9/22/20

in your manifest.yaml change action to "require-adobe-auth: false" (key maybe different). with this setup everybody can call the action without access token. you could add your own param to check... would not do it this way due to security, but you could...

oliverf82757722 · 9/22/20

Yeah, I thought about that too but like you said, it's not secure. I think it will be easier for me to use a proxy. I can authenticate the webhook to our own service and then use our existing service to get the bearer token with the JWT before calling it. Thanks

duypnguyen · 9/22/20

Hi @oliverf82757722 - in addition to what Urs said (setting require-adobe-auth to false to avoid the token check for webhook), there is a simple way to give some security to your webhook (though not as secure as require-adobe-auth), that you could add `require-whisk-auth: some-password` to your action definition in the manifest. Then from the webhook source you call this with the password attached in the headers. Reference: https://github.com/apache/openwhisk/blob/master/docs/webactions.md#securing-web-actions.

Urs_Boller · 9/22/20

@duypnguyen thanks for sharing the "whisk-password" option, great to know!

oliverf82757722 · 9/22/20

@duypnguyen ah, that's really good to know, thanks!

oliverf82757722 · 9/22/20

If I want to use a JWT for an action should I have require-adobe-auth: true in the manifest.yml? Also, is there a reference of what the options and properties are for that file? I'm finding it hard to discover what can go in there. Thanks

duypnguyen · 9/23/20

@oliverf82757722- When you enable the `require-adobe-auth` flag to true, your action is protected by an IMS validation against the passed token and org ID, so that only the entitled party can access it. More on this in the Security Overview.

And thanks for the feedback about manifest file. So far we don't have a grammar book for it yet, but are working on it. You can track the status here: https://github.com/AdobeDocs/project-firefly/issues/60.

oliverf82757722 · 9/23/20

@duypnguyen thanks. What would I put in the manifest instead of `require-adobe-auth` when I want to authenticate with a JWT? Thanks

duypnguyen · 9/23/20

@oliverf82757722 - are you passing the JWT access token in the headers when calling the action, or not attaching the token at all and expecting the action to obtain it automatically? For the former, `require-adobe-auth: true` is all you need to do. For the latter, it is insecure because the action then obtains the token on behalf of the calling system. I would recommend you to check out this thread by @Urs_Boller if you have a similar use case (and recommended solution for it): https://experienceleaguecommunities.adobe.com/t5/project-firefly-questions/adobe-credentials-for-sta....

oliverf82757722 · 9/23/20

@duypnguyen ah! I realised my error, after reading the security overview the error made more sense. It looks like I have created an SPA rather than a headless app. So that's why the JWT was failing. Need to work out how to create a headless app instead. Thanks for the help and the patience

Adobe Developer

Create an action that will be called by an external service

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe