Webhook callback authentication
i am trying to work with smartsheet webhooks. Would like to use the callback authentication feature as explained at http://smartsheet-platform.github.io/api-docs/#authenticating-callbacks-optional.
However, the instructions are not very clear of how to calculate the HMAC value from sharedSecret and request body. For example, do i need to concatenate these two using '|' operator or something else.
I am using Node.Js to test this out. I would really appreciate if an example can be provided to calculate the HMAC value which I can refer OR update the website documentation with explicit steps to follow.
Thanks
Comments
-
Made it work. Was doing some silly mistakes.
-
Amitk,
I'm also trying to authenticate callbacks and implemented hmac calculation in Kotlin. when trying to compare Smartsheet-Hmac-SHA256 header of the request with hmac value they are not matching (simple equality comparison) even though request is originated from smartsheet. How did you make it work?
-
Amitk,
I'm also trying to authenticate callbacks and implemented hmac calculation in Kotlin. when trying to compare Smartsheet-Hmac-SHA256 header of the request with hmac value they are not matching (simple equality comparison) even though request is originated from smartsheet. How did you make it work?
-
How did you make it work? I'm using the sharedSecret, but not sure which part of the body to use or to contact to the shareSecret.
In the body request, i get an object like:
{
nonce: '....,
timestamp: '2020-01-27T21:25:53.736+0000',
webhookId: .....,
scope: 'sheet',
scopeObjectId: ...,
events : [{....}]
}
Would appreciate your input on this. Thanks.
-
I came across this same problem and thought I'd post my solution for any future viewers.
An HMAC is a message authentication code that uses a key, a message, and a crypto function to create a hash of the key and message combination.
For example, the 16 bit (hex) digest resulting from the string "apple" as a key and the string "banana" as the message put through the SHA256 algorithm is "8656aeea5d6a2a225f13fc5b03117e21d6398018352597317b451122ab7fbb4f". Try it on this website: https://www.freeformatter.com/hmac-generator.html
You'll need to create an HMAC hex digest using the webhook's shared secret as the key, the bytes data of the smartsheet callback body as the message, and the SHA256 algorithm as the cryptographic function. You can then compare this against the Smartsheet-Hmac-SHA256 header of the request.
Hope this helps!
Categories
- All Categories
- 14 Welcome to the Community
- Customer Resources
- 64.9K Get Help
- 441 Global Discussions
- 140 Industry Talk
- 472 Announcements
- 4.9K Ideas & Feature Requests
- 129 Brandfolder
- 148 Just for fun
- 68 Community Job Board
- 496 Show & Tell
- 33 Member Spotlight
- 2 SmartStories
- 300 Events
- 36 Webinars
- 7.3K Forum Archives