Signature Verification for Events

Your webhook URL must be accessible from the open internet, however this means third-party actors can send forged requests, tricking your application into handling fake events.

To prevent this from happening, Adobe I/O Events has a resilient and secure event validation process in place as defined below that allows users to secure their webhook.

Digital Signatures for Security Verification

Adobe I/O Events does below security validations for each event delivered to your webhook.

Adobe I/O Events sends an additional field of recipient_client_id as part of your event payload.
The event payload is signed digitally using a fixed public/private key pair generated by Adobe I/O Events. The digital signature is sent as a webhook request header.
Adobe I/O Events sends the relative path of public key, which is served from our fixed Adobe domain static.adobeioevents.com, as webhook request headers.

I/O Events sends 2 digital signatures as webhook request headers and they are available via the header fields x-adobe-digital-signature-1 and x-adobe-digital-signature-2 respectively.

I/O Events also sends relative paths of 2 public keys corresponding to the private keys used to generate the digital signatures. These public keys are publicly accessible using our Adobe domain static.adobeioevents.com and the webhook request header fields x-adobe-public-key1-path and x-adobe-public-key2-path respectively. The SDK fetches the public keys using the Adobe domain and their respective relative paths.

Verifying the Signature

Once the SDK has the public keys fetched as plain text, it verifies the digital signatures by following the steps as below

decrypt the message digest using the public key
compute the hash message digest of the event payload (available in the webhook request body) using the same hash function algorithm rsa-sha256 used by I/O Events during signing
validate each signature by comparing
- the message digest computed by hashing
- and the digest received after decrypting the signature using the public key
verify if any one of the signatures validation is successful, then the event can be considered valid.

Below SDK method allows you to pass the received digital signature headers, relative paths of public keys and the JSON payload delivered to the webhook to check its authenticity. The JSON payload contains the recipient-client-id which will be matched against your own webhook registration client id passed to this SDK method. The method returns true if any one of the digital signature validation is successful, otherwise it returns false.

This SDK api can be used in any digital signature verification implementation for your consumer app to verify the authenticity of events coming from Adobe I/O Events.

Method

verifyDigitalSignatureForEvent(event, recipientClientId, [signatureOptions]) ⇒ boolean
Copied to your clipboard
verifyDigitalSignatureForEvent(event, recipientClientId, [signatureOptions]) ⇒ boolean

Param	Type	Description
event	object	JSON payload delivered to the registered webhook URL
recipientClientId	string	Target recipient client id retrieved from the Adobe I/O Console integration
[signatureOptions]	SignatureOptions	Map of digital signature header fields defined in SignatureOptions

SignatureOptions : `object`

Properties

Name	Type	Description
[digiSignature1]	string	Value of digital signature retrieved from the x-adobe-digital-signature1 header
[digiSignature2]	string	Value of digital signature retrieved from the x-adobe-digital-signature2 header
[publicKeyPath1]	string	Relative path of ioevents public key retrieved from the x-adobe-public-key1-path header
[publicKeyPath2]	string	Relative path of ioevents public key retrieved from the x-adobe-public-key2-path header

Sample Headers

Headers received as part of POST to webhook URL:

Request URL: <webhook_url>
Request method: POST
Content-Type: application/json; charset=utf-8
accept-encoding: deflate,compress,identity
user-agent: Adobe/1.0
x-adobe-delivery-id: <id>
x-adobe-event-code: <event_code>
x-adobe-event-id: <event_id>
x-adobe-provider: <provider_name>
x-adobe-signature: <signature>
x-adobe-digital-signature-1: <digital_signature_1>
x-adobe-digital-signature-2: <digital_signature_2>
x-adobe-public-key1-path: <public_key1_relative_path>
x-adobe-public-key2-path: <public_key2_relative_path>
Copied to your clipboard
Request URL: <webhook_url>
Request method: POST
Content-Type: application/json; charset=utf-8
accept-encoding: deflate,compress,identity
user-agent: Adobe/1.0
x-adobe-delivery-id: <id>
x-adobe-event-code: <event_code>
x-adobe-event-id: <event_id>
x-adobe-provider: <provider_name>
x-adobe-signature: <signature>
x-adobe-digital-signature-1: <digital_signature_1>
x-adobe-digital-signature-2: <digital_signature_2>
x-adobe-public-key1-path: <public_key1_relative_path>
x-adobe-public-key2-path: <public_key2_relative_path>