Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

What options do I have for authenticating an action?

Avatar

Level 2

I'm trying to create a headless application which essentially just transforms some JSON and puts it into the Adobe Analytics Data Insertion.

The call into the analytics data insertion doesn't seem to require any authentication.

I don't want to remove the `require-adobe-auth` from the manifest but I'm not sure what my options are if I do that?

All I'm trying to do is to call an external service. I don't need to add an API or anything that requires auth but I'm just getting a bit lost in the documentation.

 

I've been asked to explore using basic auth for this but I just don't know if that's possible. Thanks

1 Accepted Solution

Avatar

Correct answer by
Employee

If the Analytics Data Insertion API doesn't require any authentication, you don't need `require-adobe-auth`. However, I understand that you still want "some protection" for your action.

What you could do is adding `require-whisk-auth` to the manifest, its value is a secret hash. Then from the calling system you make request to your action with this header `X-Require-Whisk-Auth: secret_hash`. Other requests without this header would be rejected.

Reference: https://github.com/AdobeDocs/adobeio-runtime/blob/master/guides/securing_web_actions.md

View solution in original post

7 Replies

Avatar

Employee

Hi @oliverf82757722 - just for clarification, how do you trigger your actions in the headless app? Are you leveraging the alarms package to run cron jobs?

I'm trying to understand the sequence of actions in your app: does it go to the external service to grab the JSON, transform it, and save the results into Analytics?

Avatar

Level 2

Hi @duypnguyen the action will be triggered from another service within the company, that service sends a payload into the action. Thanks

Avatar

Employee
@oliverf82757722 - thanks for the details. If the Analytics Data Insertion API doesn't require any authentication, you don't need `require-adobe-auth`. However, I understand that you still want "some protection" for your action. What you could do is adding `require-whisk-auth` to the manifest, its value is a secret hash. Then from the calling system you make request to your action with this header `X-Require-Whisk-Auth: secret_hash`. Other requests without this header would be rejected.

Avatar

Level 2

Ah! That's perfect! Thank you! I didn't know about the `require-whisk-auth`. Thank you 😄  Please could you provide a link to some docs around that? Thanks

Avatar

Correct answer by
Employee

If the Analytics Data Insertion API doesn't require any authentication, you don't need `require-adobe-auth`. However, I understand that you still want "some protection" for your action.

What you could do is adding `require-whisk-auth` to the manifest, its value is a secret hash. Then from the calling system you make request to your action with this header `X-Require-Whisk-Auth: secret_hash`. Other requests without this header would be rejected.

Reference: https://github.com/AdobeDocs/adobeio-runtime/blob/master/guides/securing_web_actions.md

Avatar

Employee

sure, I've forked my comment to an answer with the link 😄

(the doc doesn't mention the `require-whisk-auth` flag though, we are still working on the docs for manifest grammar)