API Manager policy to handle WebHook Secret

Question

API Manager policy to handle WebHook Secret

Steve 1

Can someone point me to some document where I can handle a webhook secret from a 3rd party into an API POST which has been setup on the Azure API Manager.

MayankBargali-MSFT 70,941 Reputation points Moderator

2022-05-25T03:56:06.8+00:00

@Steve Thanks for reaching out. Can you please confirm my understanding is correct and if you are talking about Azure APIM
Client Calling the Azure APIM API's --> APIM (need to pass the client secret from APIM to backend) --> Backend (webhook endpoint)
Steve 1 Reputation point

2022-05-25T12:05:44.207+00:00

Client has an application which has a webhook which is triggered when a new booking is entered. Thus I was thinking something like this.

Client Webhook calls the Azure APIM API--> APIM should validate the secret configured on the client side webhook and then pass it to backend which is a LogicApp.

Let me know.
Steve

1 answer

Your answer

MayankBargali-MSFT 70,941 Reputation points Moderator

2022-05-25T03:56:06.8+00:00

@Steve Thanks for reaching out. Can you please confirm my understanding is correct and if you are talking about Azure APIM
Client Calling the Azure APIM API's --> APIM (need to pass the client secret from APIM to backend) --> Backend (webhook endpoint)
Steve 1 Reputation point

2022-05-25T12:05:44.207+00:00

Client has an application which has a webhook which is triggered when a new booking is entered. Thus I was thinking something like this.

Client Webhook calls the Azure APIM API--> APIM should validate the secret configured on the client side webhook and then pass it to backend which is a LogicApp.

Let me know.
Steve

Answer 1

MayankBargali-MSFT 70,941 Moderator

@Steve Just to reconfirm my understanding you are passing the secret from client to APIM and what APIM to validate whether the secret is valid or not before passing to your backend service logic app.
If this is the case, then you need to have custom service that validates this for you with some mapping at your end of different clients with their respective secrets. From APIM you can leverage SendRequest
Policy to call your custom service to validate it. In case if you have few clients then you do this mapping and storing it levering the name values. The mapping should be the product keys that you are providing to your client to call the APIM APIs with the respective secrets.

Steve 1 Reputation point

2022-05-26T15:46:02.377+00:00

This is exactly what I am trying to do. Currently there is only a few clients I need to support so name values looks like it might work for this use case. Evenly if this requirement grows to expand to more secret methods I will move it to SendRequest Policy.

Thanks for giving me the direction I needed.
Steve
MayankBargali-MSFT 70,941 Reputation points Moderator

2022-05-26T16:00:04.057+00:00

@Steve Thanks for your response. Glad to know it helped. I have converted my comment to answer. Feel free to 'Accept as Answer' so that it can help others in the community looking for help on similar topics.

Share via

API Manager policy to handle WebHook Secret

1 answer

Your answer