Re: IP Spoofing

SanfordWhiteman
Level 10 - Community Moderator

Re: IP Spoofing

Basic Auth is just an

Authorization: Basic <base64encodedcredentals‍‍>

 

header. You add Custom Headers using Webhooks Actions » Set Custom Header.

Note: btoa() is not actually correct for encoding String-to-String, as it does not support non-Latin-1 characters.

Alex_Langridge
Level 2

Re: IP Spoofing

Yup. I have set up the webhook and the custom header. But I can't figure out how to call the GET webhook from the landing page and use the response on the landing page.

SanfordWhiteman
Level 10 - Community Moderator

Re: IP Spoofing

You can't call webhooks from the LP. Webhooks are only called from flows (Call Webhook).

Rajesh_Talele3
Level 1

Re: IP Spoofing

Hi Alex,

You can not call a 'webhook' from landing page. Webhook is 'only' callable from Marketo server using a smart campaign that executes on Marketo server side.

Alex_Langridge
Level 2

Re: IP Spoofing

This then defeats what i'm trying to achieve.

Is there anyway I can store the API key and secret in marketo and access it securely when I make the AJAX API Calls?

SanfordWhiteman
Level 10 - Community Moderator

Re: IP Spoofing

Is there anyway I can store the API key and secret in marketo and access it securely when I make the AJAX API Calls?

No.

There's no way to do what you're describing securely from the client side.

It's Web Security 101: a service that can be accessed from a public page without user interaction, and which permits connections from any IP, is not secure. You've pretty much defined the problem in your architecture. Erase your sketched-out architecture and start over, this is a dead end.

Alex_Langridge
Level 2

Re: IP Spoofing

Yup. We will start again. Do you have a proposed method that will work with Marketo and be secure?

Alex_Langridge
Level 2

Re: IP Spoofing

Do you propose the below will work?

On the marketo landing page,

1. API Call 1  - Get user info based on user email from the external system - Returns an "access token" along with the user info.

2. API call response is used to populate the marketo form.

3. Marketo form is submitted.

4. API Call 2 - Update user info on external system by matching the user email along with the above received "access token" to authenticate that the request was made by the same user.

Rajesh_Talele3
Level 1

Re: IP Spoofing

Unfortunately, I do not have any guide for your case as it will depend on the service provider and your business case specifics. Especially, when you have the need of 'multiple' API calls 'I guess one after other' to get all the data.

You will most likely need a custom webhook which will accept call from Marketo and manage the handshake with your external service provider to collect all the data. It can get complicated if this all is going to take some time as the web hook might have to use Marketo API calls to write the data in to Marketo if it takes long time.

Rajesh_Talele3
Level 1

Re: IP Spoofing

Hi Alex,

Do you mean to use 'landing page domain' based restriction instead of the IP address of the visitor?

Thus the service would allow a web page to use the service only if the web page is on your website(s). If someone else copies the 'access credentials' and create web page on their domain, the service should reject the request. The unauthorized person would not be able to host their landing page on your domain(s). 

Hope this helps...