Signature Verification for Events
Your webhook URL must be accessible from the open internet, however this means third-party actors can send forged requests, tricking your application into handling fake events.
To prevent this from happening, Adobe I/O Events has a resilient and secure event validation process in place as defined below that allows users to secure their webhook.
Digital Signatures for Security Verification
Adobe I/O Events does below security validations for each event delivered to your webhook.
- Adobe I/O Events sends an additional field of
recipientclientidas part of your event payload. - The event payload is signed digitally using a fixed public/private key pair generated by Adobe I/O Events. The digital signature is sent as a webhook request header.
- Adobe I/O Events sends the relative path of public key, which is served from our fixed Adobe domain static.adobeioevents.com, as webhook request headers.
I/O Events sends 2 digital signatures as webhook request headers and they are available via the header fields x-adobe-digital-signature-1 and x-adobe-digital-signature-2 respectively.
I/O Events also sends relative paths of 2 public keys corresponding to the private keys used to generate the digital signatures. These public keys are publicly accessible using our Adobe domain static.adobeioevents.com and the webhook request header fields x-adobe-public-key1-path and x-adobe-public-key2-path respectively. The SDK fetches the public keys using the Adobe domain and their respective relative paths.
Verifying the Signature
Once the SDK has the public keys fetched as plain text, it verifies the digital signatures by following the steps as below
-
decrypt the message digest using the public key
-
compute the hash message digest of the event payload (available in the webhook request body) using the same hash function algorithm
rsa-sha256used by I/O Events during signing -
validate each signature by comparing
- the message digest computed by hashing
- and the digest received after decrypting the signature using the public key
-
verify if any one of the signatures validation is successful, then the event can be considered valid.
Below SDK method allows you to pass the received digital signature headers, relative paths of public keys and the JSON payload delivered to the webhook to check its authenticity. The JSON payload contains the recipientclientid which will be matched against your own webhook registration client id passed to this SDK method. The method returns true if any one of the digital signature validation is successful, otherwise it returns false.
This SDK api can be used in any digital signature verification implementation for your consumer app to verify the authenticity of events coming from Adobe I/O Events.
Method
verifyDigitalSignatureForEvent(event, recipientClientId, [signatureOptions]) ⇒ boolean
objectstringSignatureOptions : object
Properties
stringstringstringstringSample Headers
Headers received as part of POST to webhook URL:
Request URL: <webhook_url>
Request method: POST
Content-Type: application/json; charset=utf-8
accept-encoding: deflate,compress,identity
user-agent: Adobe/1.0
x-adobe-delivery-id: <id>
x-adobe-event-code: <event_code>
x-adobe-event-id: <event_id>
x-adobe-provider: <provider_name>
x-adobe-signature: <signature>
x-adobe-digital-signature-1: <digital_signature_1>
x-adobe-digital-signature-2: <digital_signature_2>
x-adobe-public-key1-path: <public_key1_relative_path>
x-adobe-public-key2-path: <public_key2_relative_path>
Response
If signature is valid, returns true otherwise returns false.