Closed robotdan closed 11 months ago
I was wondering about this specific feature reading through the documentation and did not find it, now happy to see it coming in the next version.
For webhooks it is pretty common to create a HMAC-SHA256 or HMAC-SHA384 or HMAC-SHA512 for the payload and include a timestamp and option to include sensitive headers in the hash as it is summed up at webhooks.fyi.
Configuration options I can think of:
Have a tenant level global configuration and overrides at webhook level would be a good option, or have "named configurations" that could be assigned with a simple selection per webhook.
Beside this, JWT based security would be a useful and secure feature: https://webhooks.fyi/security/jwt-jwk-oauth2
@attilah FYI, pinged the engineer working on this and it is currently in code review.
Thanks for the update @mooreds!
Actually, I spoke to soon. It is in design review, not code review. Sorry bout that.
@attilah there's some internal discussion and thought you might weigh in. Can you think of any reason you might want to be able to have webhook messages signed by an RSA/ECC key (instead of HMAC)?
Or will HMAC suit your needs?
Add config for Webhook Signature
Description
The smart folks over at ngrok have put together a bunch of great information on webhooks, best practices, and reviewed a bunch of existing webhook producers to identify common behaviors.
Solution
Things we should consider:
Additional context
Once this is complete, submit a PR to add our name to this list:
Related
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Documentation
webhook.signatureConfiguration.enabled
andwebhook.signatureConfiguration.signingKeyId
fields on APIwebhook.signatureConfiguration.signingKeyId
to Key Rotation pageRelease Notes
Add support for signing webhook events with a SHA-256 hash function. This feature will allow consumers of FusionAuth events to verify the message body has not been modified. The signature is contained in a JWT and will be sent using an HTTP request header named
X-FusionAuth-Signature-JWT
. You may use existing JWT verification strategies including consuming the public key from the JWKS endpoint. ** See the link:/docs/v1/tech/events-webhooks/signing[Signing Webhooks] and link:/docs/v1/tech/apis/webhooks[Webhooks APIs] for signing and verification details.