Two-Step Authentication with Webhooks

Kevin_Tuttle1
Marketo Employee
Marketo Employee

When using webhook connections with Marketo, you will often come across an API connection with a two-step process. The first connection needs to send the authentication information, after which you get back an access token, and then that token needs to be provided in the second (and any other subsequent) queries to provide the necessary authentication. Both the Marketo and SFDC REST APIs follow this model. Marketo's Webhook functionality, though, is only a one-step process, so it's necessary to employ separate Webhook configurations to get this to work.

 

The first step is to create a new custom field on the Person object to hold the access token value. This field will hold the temporary, generated access token value between webhook connections.

Kevin_Tuttle1_0-1674848630351.png

 

Next step is to create a Webhook just to do the initial authentication step. It will save the returned token value in the Access Token field. Here is an example that connects to SFDC:

Kevin_Tuttle1_1-1674848950290.pngKevin_Tuttle1_2-1674848966741.png

 

The last step is to create the Webhook that does the actual work with the remote API. Here I setup one that can update a Lead's Sync_To_Marketo__c field. Note the custom headers that pass captured Access Token value through on the Authorization header.

Kevin_Tuttle1_3-1674849123782.png

 

6226
5
5 Comments
SanfordWhiteman
Level 10 - Community Moderator

This has 2 different race conditions though:

  1. You must only trigger the 2nd webhook when Webhook is Called has fired for the 1st webhook. Can't be just two Call Webhook steps in a row.
  2. The access token can expire after the 1st webhook writes it to a field and before the 2nd has attempted to use the value. It's easy to make this happen when running a large batch-to-request-campaign. So you also need an exception-handling campaign that can tell you when the 2nd Webhook is Called returned an error.
maddie_vararu_n
Level 2

Hey guys, thanks so much for adding this info to the forum.

 

I'm trying to do this exact thing right now and whilst the call is successful, it doesn't seem to be populating the field I set up to house the authorization token, which means the next call fails. I actually have two fields set up, one as String and one as Text as the token that I saw coming through in Postman was 1292 characters long, which means it's unlikely to fit into the String type field, but neither fields are being filled out. Any suggestion on what I should/could try to get this stored on the person record?

 

I also saw some other discussions where Sanford recommends to not use the two webhook set-up but use a webhook proxy. I've been googling like mad, but I am probably not exactly searching the correct keywords to find what I need. Any advice?

 

Many thanks for your help!

Darshil_Shah1
Level 10 - Community Advisor + Adobe Champion

@maddie_vararu_n, yeah webhooks are stateless entities in nature that means that systems requiring one HTTP connection to get an expiring token, followed by another connection do a lookup or update, aren’t webhook-compatible. You can of course store the OAuth token in a field and use that for your subsequent calls, but that is not 100% failure proof w/o having proper error handling mechanism and ensuring you call the make the 2nd call after the Webhook is Called has fired for the 1st webhook as Sandy mentions in the comment above. Also, access token isn't 1292 charecters long. Are you storing the entire JSON response of the authentication API in the field? Are you able show your webhook configuration? Of course, please make sure to mask your API creds before you add details about it here.

 

Using API Gateway, a proxy service essentially that takes care of getting the OAuth token and making the apt update/lookup call is ideal, which means from Marketo you'd just make a single call to this proxy which will then take care of making an authenticated call to the system and return the data.

maddie_vararu_n
Level 2

Hi @Darshil_Shah1, thanks for responding! I was off for a bit and then ill, so took me a while to come back to this. I ran a test from Postman to see what the Authorization token looks like and this is the response I get:

{
    "authTokenDetails": {
        "token_type""Bearer",
        "expires_in""3599",
        "ext_expires_in""3599",
        "expires_on""1693910049",
        "not_before""1693906149",
        "resource""api://e4ea53c4-e608-4dcd-be25-ddab18562f9e",
        "access_token""eyJ0bXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJhcGk6Ly9lNGVhNTNjNC1lNjA4LTRkY2QtYmUyNS1kZGFiMTg1NjJmOWUiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80MWY1OTEyMS1hODQ2LTRiY2YtYmRmNi1lZjZjMjNiMTMwNDcvIiwiaWF0IjoxNjkzOTA2MTQ5LCJuYmYiOjE2OTM5MDYxNDksImV4cCI6MTY5MzkxMDA0OSwiYWlvIjoiRTJGZ1lBajJlZkI0YWVBaDBZTTZqdUs2VFlKdkFRPT0iLCJhcHBpZCI6ImU0ZWE1M2M0LWU2MDgtNGRjZC1iZTI1LWRkYWIxODU2MmY5ZSIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzQxZjU5MTIxLWE4NDYtNGJjZi1iZGY2LWVmNmMyM2IxMzA0Ny8iLCJvaWQiOiI1MjNiMTg1NS1iMzdlLTRjNzgtYWVhNi0zNjdhYTA1NWRjZGYiLCJyaCI6IjAuQVFrQUlaSDFRVWFvejB1OTl1OXNJN0V3UjhSVDZ1UUk1czFOdmlYZHF4aFdMNTRKQUFBLiIsInJvbGVzIjpbIkFwaS5SZWFkV3JpdGUiXSwic3ViIjoiNTIzYjE4NTUtYjM3ZS00Yzc4LWFlYTYtMzY3YWEwNTVkY2RmIiwidGlkIjoiNDFmNTkxMjEtYTg0Ni00YmNmLWJkZjYtZWY2YzIzYjEzMDQ3IiwidXRpIjoiWWFobFY1dFVVMDJLS3VoSnBCLUlBQSIsInZlciI6IjEuMCJ9.UhdUawmxZvCSirFP7HlYucfRliZtVM1BrhdG4UChv3znPz9DqNr25h2wxc1utUMDA6XC_IqtkMKjfmY5JeenkvqjGAzWgmSpk-USU9ZjIfrbGbI6sa1n3RbGjr1oBsChI1-iz3oezLA4sdzkleLuBISVvuO6-yKPKHffciPrQR8YdzFYqRmjkotLUqGuuPwiHq5TZ7Fswqr8yEtZVG-nSAuwgkGHUjHpNKYZ_3y3ZesKcLjGFCiQXDWnAMtlgeDeL-IP4fQ48eENrLkJQ6o5_Y2ZbX2z0hfp8j0p5GrSje_6QQkXXY-ZUh3F-_OCmXlKFlF7xfupHrvNq2k6shzHWA"
    },
    "isSuccess"true,
    "message"null
 
Here's my authorization token call set-up - I created two fields to store the token, one text area and one string. I tried with each individually, in the example below I added both.
maddie_vararu_n_0-1693906701126.png

And here's the webhook for submitting the information: 

maddie_vararu_n_1-1693906860458.png

I'm by no means a developer, but budget constraints mean I have to do what I can 🙂 is there anything I can ask the third-party to do to make this process a bit easier? 

 

Thank you so much for your help!

Darshil_Shah1
Level 10 - Community Advisor + Adobe Champion

Please use code editor to add the code/response snippets as it becomes really difficult to read it otherwise. Re the Get Access Token webhook setup in Marketo, are you sure that it's a POST call per your webhook definiation? Normally, that type of requests are GET. Also, earlier, I thought you were talking about Marketo's access token, which is by no means 1292 charecters long, but since this service's access token is, you should be using the text field to store the access token from the incoming response JSON. You should remove the entry from the Response Mapping where you're updating the access token to a string field, and just have the entry where you write the access token to a text area field.

 

Also, I hope you're using the Webhook is Called trigger to trigger off your 2nd webhook after making the Authorization token call instead of using an aribitary wait step b/w the 2 webhook calls.