Re: Webhook authentication best practices

Anonymous · ‎05-04-2015

What kind of solutions have you used for authenticating Webhook requests coming to your backend from Marketo? The documentation (http://developers.marketo.com/documentation/webhooks/) totally ignores the subject. This is a bit strange as the documentation describes how to get sensitive user data from an apparently exposed public API. Also, in the forums there are some requests related to using OAuth2 in Webhooks but apparently this feature has not been implemented.

The only idea I can come up with is including a hard coded passphrase in the Webhook's GET or POST request parameters. I guess this is an acceptable solution if the passphrase is long enough and requests are sent over https.

Any comments or ideas?

Mikko

Anonymous · ‎05-04-2015

Hi Mikko,

I have used hard coded passphrase in webhooks in my work so far. I would also suggest checking requester IP address in your external web service and only allow to the IP range(s) Marketo will be using. You may want to check with Marketo support to find out the IP address or find them yourself from the actual test http requests.

Hope this helps

Rajesh

View solution in original post

Anonymous · ‎05-04-2015

Hi Mikko,

I have used hard coded passphrase in webhooks in my work so far. I would also suggest checking requester IP address in your external web service and only allow to the IP range(s) Marketo will be using. You may want to check with Marketo support to find out the IP address or find them yourself from the actual test http requests.

Hope this helps

Rajesh

SanfordWhiteman · ‎05-04-2015

I second @Rajesh. That's pretty much how it's done.

You could in theory also loop back using the Marketo REST API and use some kind of per-lead authentication (like checking that the Marketo id matches). But then you have to deal with the API limits, which are very low. If you were replicating your Lead Database to some in-house system, this could be used as well. But I doubt anyone (literally, anyone!) is doing these things because of the overhead. And in fairness doing OAuth with a separate authentication step for each webhook call (assuming no persistence) would be horrible for performance, too.

Anonymous · ‎05-05-2015

Thanks Rajesh and Sanford. I'll ask about the ip ranges and will get back to you after I get an answer.

Anonymous · ‎05-17-2015

Hi,

I asked customer support about the ip ranges and go the following info:

"There is no article I could refer you to in regards to IP Range Enquiry. We actually access a cached version of the application at the nearest location, so this might vary. I will investigate for you and let you know about outcome."

And (I have deleted all the info related to out instance):

As your instance of Marketo is located on our xxx pod in our xxx datacentre, these are the IP addresses you can expect the webhook requests to come from:

...

These are currently not posted anywhere customer-facing I'm afraid. However feel free to request the list any time you need it."

And:

"As far as I know, these IP addresses have not been changed since they've been introduced a couple of years ago. I don't foresee them changing at all in the future. If there was to be a decision to change them, a customer notification will be sent out to all affected customers."

Thanks again for sharing your experiences,

Mikko