IP Spoofing

Highlighted
Level 10 - Community Moderator

Re: IP Spoofing

Basic Auth is just an

Authorization: Basic <base64encodedcredentals‍‍>

 

header. You add Custom Headers using Webhooks Actions » Set Custom Header.

Note: btoa() is not actually correct for encoding String-to-String, as it does not support non-Latin-1 characters.

Highlighted

Re: IP Spoofing

Yup. I have set up the webhook and the custom header. But I can't figure out how to call the GET webhook from the landing page and use the response on the landing page.

Highlighted
Level 10 - Community Moderator

Re: IP Spoofing

You can't call webhooks from the LP. Webhooks are only called from flows (Call Webhook).

Highlighted

Re: IP Spoofing

Hi Alex,

You can not call a 'webhook' from landing page. Webhook is 'only' callable from Marketo server using a smart campaign that executes on Marketo server side.

Highlighted

Re: IP Spoofing

This then defeats what i'm trying to achieve.

Is there anyway I can store the API key and secret in marketo and access it securely when I make the AJAX API Calls?

Highlighted
Level 10 - Community Moderator

Re: IP Spoofing

Is there anyway I can store the API key and secret in marketo and access it securely when I make the AJAX API Calls?

No.

There's no way to do what you're describing securely from the client side.

It's Web Security 101: a service that can be accessed from a public page without user interaction, and which permits connections from any IP, is not secure. You've pretty much defined the problem in your architecture. Erase your sketched-out architecture and start over, this is a dead end.

Highlighted

Re: IP Spoofing

Yup. We will start again. Do you have a proposed method that will work with Marketo and be secure?

Highlighted

Re: IP Spoofing

Do you propose the below will work?

On the marketo landing page,

1. API Call 1  - Get user info based on user email from the external system - Returns an "access token" along with the user info.

2. API call response is used to populate the marketo form.

3. Marketo form is submitted.

4. API Call 2 - Update user info on external system by matching the user email along with the above received "access token" to authenticate that the request was made by the same user.

Highlighted

Re: IP Spoofing

Unfortunately, I do not have any guide for your case as it will depend on the service provider and your business case specifics. Especially, when you have the need of 'multiple' API calls 'I guess one after other' to get all the data.

You will most likely need a custom webhook which will accept call from Marketo and manage the handshake with your external service provider to collect all the data. It can get complicated if this all is going to take some time as the web hook might have to use Marketo API calls to write the data in to Marketo if it takes long time.

Highlighted

Re: IP Spoofing

Hi Alex,

Do you mean to use 'landing page domain' based restriction instead of the IP address of the visitor?

Thus the service would allow a web page to use the service only if the web page is on your website(s). If someone else copies the 'access credentials' and create web page on their domain, the service should reject the request. The unauthorized person would not be able to host their landing page on your domain(s). 

Hope this helps...