Expand my Community achievements bar.

SOLVED

rules for Adobe Launch triggers?

Avatar

Community Advisor

Looking at the Adobe Launch API there is a subscription service to register a callback request. the definition of the API reguest can be found here: https://developer.adobelaunch.com/api/reference/1.0/callbacks/create/ I really love the idea of registering my own url within those callbacks, mainly because @jexnerW4D wrote a blog about: https://webanalyticsfordevelopers.com/2020/04/07/using-audit-events-in-launch/

 

the first idea was to expose one of my action to public so that I can be used to register as url in a launch callback. but how to handle "authentication"? and how to prevent somebody else calling my action? I would need to do all the checks about permission within the action itself which seems far too complicated...

 

having more insights about Firefly and triggers/rules within AIO, I assume that the funcationality of those callbacks are based on the same technology as the Firefly rules. basically it creates sort of a "rule" and invoces an action to call my registered url.

 

It would be really cool if we could just add a new "rule" to my app manifest.yml listening for defined triggers. is that possible? or any other idea how to invoce one of my action directly to Launch build events (aka triggers)?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi @Urs_Boller , thanks for raising this question, a very nice one.

Currently there is no Launch "callback" definition OOTB in Firefly, but we will forward the request to the respective team for consideration.

What you could do for now, is to create a web action as a receiver of this callback. It is public without authentication.

If there is a way that the callback emitter can attach headers, you may leverage the `require-whisk-auth` flag by Openwhisk (on which I/O Runtime is built): https://github.com/apache/openwhisk/blob/master/docs/webactions.md#securing-web-actions

If the callback emitter can not attach headers to the request (looks like the case of Launch callback), how about a simple query param that allows you to check where a request comes from? Something like https://adobeioruntime,net/api/v1/web/guest/my-app/callback?challenge=1234.

It is important that your webhook as a public action only accepts incoming callbacks and does not returns any data. The challenge is useful for filtering legitimate request from Launch and not another source.

There could be other ways of securing webhooks available which require custom implementation.

View solution in original post

2 Replies

Avatar

Correct answer by
Employee

Hi @Urs_Boller , thanks for raising this question, a very nice one.

Currently there is no Launch "callback" definition OOTB in Firefly, but we will forward the request to the respective team for consideration.

What you could do for now, is to create a web action as a receiver of this callback. It is public without authentication.

If there is a way that the callback emitter can attach headers, you may leverage the `require-whisk-auth` flag by Openwhisk (on which I/O Runtime is built): https://github.com/apache/openwhisk/blob/master/docs/webactions.md#securing-web-actions

If the callback emitter can not attach headers to the request (looks like the case of Launch callback), how about a simple query param that allows you to check where a request comes from? Something like https://adobeioruntime,net/api/v1/web/guest/my-app/callback?challenge=1234.

It is important that your webhook as a public action only accepts incoming callbacks and does not returns any data. The challenge is useful for filtering legitimate request from Launch and not another source.

There could be other ways of securing webhooks available which require custom implementation.

Avatar

Community Advisor
hi @duypnguyen. thanks for forwarding the question. meanwhile I will try to add the public endpoint of my unprotected as callback. there is no need for a query param since I only use the start of the action as a trigger and will not rely on any input from the action. means as soon as my action get's triggered, it runs completely independent from any input params... but having a "protected" trigger would be far better...