Webhook callback authentication

amitk-productiv
amitk-productiv
edited 12/09/19 in Smartsheet Basics

i am trying to work with smartsheet webhooks. Would like to use the callback authentication feature as explained at http://smartsheet-platform.github.io/api-docs/#authenticating-callbacks-optional.

However, the instructions are not very clear of how to calculate the HMAC value from sharedSecret and request body. For example, do i need to concatenate these two using '|' operator or something else.

I am using Node.Js to test this out. I would really appreciate if an example can be provided to calculate the HMAC value which I can refer OR update the website documentation with explicit steps to follow.

Thanks

Tags:
· Share on FacebookShare on Twitter

Comments

  • amitk-productiv
    amitk-productiv

    Made it work. Was doing some silly mistakes. 

    · Share on FacebookShare on Twitter
  • rammohanvarma
    rammohanvarma ✭✭

    Amitk,

    I'm also trying to authenticate callbacks and implemented hmac calculation in Kotlin. when trying to compare Smartsheet-Hmac-SHA256 header of the request with hmac value they are not matching (simple equality comparison) even though request is originated from smartsheet. How did you make it work? 

    · Share on FacebookShare on Twitter
  • rammohanvarma
    rammohanvarma ✭✭

    Amitk,

    I'm also trying to authenticate callbacks and implemented hmac calculation in Kotlin. when trying to compare Smartsheet-Hmac-SHA256 header of the request with hmac value they are not matching (simple equality comparison) even though request is originated from smartsheet. How did you make it work? 

    · Share on FacebookShare on Twitter
  • jameskyle
    jameskyle

    How did you make it work? I'm using the sharedSecret, but not sure which part of the body to use or to contact to the shareSecret.

    In the body request, i get an object like:

    {

    nonce: '....,

     timestamp: '2020-01-27T21:25:53.736+0000',

     webhookId: .....,

     scope: 'sheet',

     scopeObjectId: ...,

     events : [{....}]

    }


    Would appreciate your input on this. Thanks.

    · Share on FacebookShare on Twitter
  • Dylan
    Dylan ✭✭
    edited 04/07/20

    I came across this same problem and thought I'd post my solution for any future viewers.

    An HMAC is a message authentication code that uses a key, a message, and a crypto function to create a hash of the key and message combination.

    For example, the 16 bit (hex) digest resulting from the string "apple" as a key and the string "banana" as the message put through the SHA256 algorithm is "8656aeea5d6a2a225f13fc5b03117e21d6398018352597317b451122ab7fbb4f". Try it on this website: https://www.freeformatter.com/hmac-generator.html

    You'll need to create an HMAC hex digest using the webhook's shared secret as the key, the bytes data of the smartsheet callback body as the message, and the SHA256 algorithm as the cryptographic function. You can then compare this against the Smartsheet-Hmac-SHA256 header of the request.

    Hope this helps!

    · Share on FacebookShare on Twitter

Categories

Help shape the future of Smartsheet.
Share your ideas and feature requests.

 Watch video