How to validate webhook authorization token?

webhook
security

#1

About doc: Your app should use this token to check the validity of the token.

How to validate the token without making API call?
The first thing before processing the request should be to check the validity of the token, but do I need to make an API call to do this?
There should be some comparison method, because it is not nice to bombard the Stride API for any successfully decoded token, even if it is not generated by Stride.

I inspected the sample code (https://bitbucket.org/atlassian/stride-apps-reference/src/be42f690efe6ac50da4c15b77bc80c29340e95d1/reference/middleware/mw.js?at=master&fileviewer=file-view-default#mw.js-74) it extracts the context but not really checking any security.

Thank you.


#2

Hi @alexander.vangelov,

the verification happens in the line before:

jwtUtil.decode(encodedJwt, secret);

This decodes the JWT from its base64 encoding and at the same time makes sure that it is signed with a signature that can be verified with this secret. The secret the code refers to is the secret you get from creating an app on https://developer.atlassian.com/apps.

The decode function will throw an error if the signature doesn’t match.


#3

Yes now I am looking more carefully :slight_smile:
Using my auth secret to decode it make sense.

Thank you!