Expand my Community achievements bar.

SOLVED

Create an action that will be called by an external service

Avatar

Level 2

I have been asked to explore Project Firefly and various uses of it and I'm struggling to understand how to authenticate this call.

 

I'm only at the very beginning of exploration so I have probably missed something and was hoping someone could point me in the right direction.

I have created a new generic action (eventually this will connect with Adobe Target but just keeping it simple for now). This new action will be invoked by a webhook from a CMS system that we use. When new content is published it will call this action's URL and the action will handle the request. I just don't know how to authenticate the webhook.

In postman I can put in my Bearer token (which I get from `aio login`) but obviously I can't put that into the webhook as it will change over time. How should I go about creating an action that can be authenticated from an external service like this?

The only options I have from our CMS is either a basic auth username/password or values to put into custom headers.

Thanks for any help you can provide.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

I would create a service account for your external tool. basically the external tool fetches a new access token (bearer token) before calling the firefly action. read more about service accounts here: https://www.adobe.io/authentication/auth-methods.html#!AdobeDocs/adobeio-auth/master/JWT/JWT.md

View solution in original post

12 Replies

Avatar

Correct answer by
Community Advisor

I would create a service account for your external tool. basically the external tool fetches a new access token (bearer token) before calling the firefly action. read more about service accounts here: https://www.adobe.io/authentication/auth-methods.html#!AdobeDocs/adobeio-auth/master/JWT/JWT.md

Avatar

Level 2
Ah, I had read about that but was hoping for a more passive way of authenticating the call. I think what I'll have to do is to run the webhook to another service (something we already do) and then authenticate my own service and use that to call the Firefly action. Thanks I'll explore this as a possible way of working.

Avatar

Community Advisor
in your manifest.yaml change action to "require-adobe-auth: false" (key maybe different). with this setup everybody can call the action without access token. you could add your own param to check... would not do it this way due to security, but you could...

Avatar

Level 2
Yeah, I thought about that too but like you said, it's not secure. I think it will be easier for me to use a proxy. I can authenticate the webhook to our own service and then use our existing service to get the bearer token with the JWT before calling it. Thanks

Avatar

Employee
Hi @oliverf82757722 - in addition to what Urs said (setting require-adobe-auth to false to avoid the token check for webhook), there is a simple way to give some security to your webhook (though not as secure as require-adobe-auth), that you could add `require-whisk-auth: some-password` to your action definition in the manifest. Then from the webhook source you call this with the password attached in the headers. Reference: https://github.com/apache/openwhisk/blob/master/docs/webactions.md#securing-web-actions.

Avatar

Community Advisor
@duypnguyen thanks for sharing the "whisk-password" option, great to know!

Avatar

Level 2
If I want to use a JWT for an action should I have require-adobe-auth: true in the manifest.yml? Also, is there a reference of what the options and properties are for that file? I'm finding it hard to discover what can go in there. Thanks

Avatar

Employee

@oliverf82757722- When you enable the `require-adobe-auth` flag to true, your action is protected by an IMS validation against the passed token and org ID, so that only the entitled party can access it. More on this in the Security Overview.

And thanks for the feedback about manifest file. So far we don't have a grammar book for it yet, but are working on it. You can track the status here: https://github.com/AdobeDocs/project-firefly/issues/60.

Avatar

Level 2
@duypnguyen thanks. What would I put in the manifest instead of `require-adobe-auth` when I want to authenticate with a JWT? Thanks

Avatar

Employee
@oliverf82757722 - are you passing the JWT access token in the headers when calling the action, or not attaching the token at all and expecting the action to obtain it automatically? For the former, `require-adobe-auth: true` is all you need to do. For the latter, it is insecure because the action then obtains the token on behalf of the calling system. I would recommend you to check out this thread by @Urs_Boller if you have a similar use case (and recommended solution for it): https://experienceleaguecommunities.adobe.com/t5/project-firefly-questions/adobe-credentials-for-sta....

Avatar

Level 2
@duypnguyen ah! I realised my error, after reading the security overview the error made more sense. It looks like I have created an SPA rather than a headless app. So that's why the JWT was failing. Need to work out how to create a headless app instead. Thanks for the help and the patience