Avatar

Correct answer by
Employee

Hi @Urs_Boller , thanks for raising this question, a very nice one.

Currently there is no Launch "callback" definition OOTB in Firefly, but we will forward the request to the respective team for consideration.

What you could do for now, is to create a web action as a receiver of this callback. It is public without authentication.

If there is a way that the callback emitter can attach headers, you may leverage the `require-whisk-auth` flag by Openwhisk (on which I/O Runtime is built): https://github.com/apache/openwhisk/blob/master/docs/webactions.md#securing-web-actions

If the callback emitter can not attach headers to the request (looks like the case of Launch callback), how about a simple query param that allows you to check where a request comes from? Something like https://adobeioruntime,net/api/v1/web/guest/my-app/callback?challenge=1234.

It is important that your webhook as a public action only accepts incoming callbacks and does not returns any data. The challenge is useful for filtering legitimate request from Launch and not another source.

There could be other ways of securing webhooks available which require custom implementation.

View solution in original post