This topic was automatically generated from Slack. You can find the original thread here.
I am Suresh, new to Pipedream. On a free trail
I have use case . I need to setup a webhook listener with oauth authentication to receive payloads and pass through to a different app.
However, the client id and secret generated also able to access pipedream account resources .
Is there a possibility to limit oauth to workflows or limit scopes to not read account pipedream resources.
Looking at the documentation, oauth scopes will be introduced per project ( coming soon)
Can anyone please advise more .
Also I looked at the source and emitter flow but I believe there when I configure and send the data to source emitter url, nothing seems to receive on different app webhook url but can be able to send to pipedream url but unable to configure authentication
Can you tell me a bit more about the use case? I’m not sure I’m totally following the end to end implementation you’re envisioning. Are you just trying to trigger a webhook from a browser or something?
Yes, from third party apps will send payloads which we need to authenticate with oauth2.0.
For example, we provide a pipedream url to a sass system and it will push the data to this webhook URL after getting the bearer token.
After payloads received into pipedream, we process it and send it to different system to create a work order etc.,
The authentication must be oauth2.0 but the apis oauth generated within pipedream can query all internal sources. The oauth credentials we provide to client should only work for the pipedream webhook url
Can you pass a custom token instead of using OAuth? You could create tokens that are unique to the system, and they’d only be used for triggering the webhook. Or are the apps ones that we can integrate so that Pipedream abstracts that process from you, and we handle the authorization instead of you? What are the APIs?
Thanks for your response.Custom token works however client use case to must support oauth 2.0 protocol so that they can generate an access token that does expire with limited time and they make push api calls.
For example , not all apps are supported in pipedream and we may need to build some and for service now even it is natively supported, pipedream poll for new data which don’t work instead client wants to send limited data in push method to webhook url.
My understanding is custom token is just a key value even though we can use some formatting to generate such as JWT, which does not expire . If there is an expiration date for custom token, that is also good - feedback
Is there any possibility we can use oauth2.0 protocol and with limited scope such as per project or workflow or something other ??
If you’re able to securely generate the token from the server and pass the token to the client, that could work. You could define only the connect:workflow:invoke scope in that case: Authentication - Pipedream
That token would have a 1 hour expiry and would only be allowed to invoke workflows but I don’t believe it’d be restricted to a specific project, it’d be allowed to invoke any workflow in your workspace.
I believe that’s the tricky part. When you mention that we generate and send them the token, how is that possible to send to a client where access token needs to be generated which expires in 1 hour. What are the proposed solutions here if you know any.
Upto specific workflows is fine as long as they can’t see the internal resources because they don’t know what to trigger if I am right ??
Yea I think the reality is that the current implementation isn’t set up well for that exact approach. Can you elaborate again on the exact use case? What APIs are you trying to capture events from? Are those not integrated with Pipedream?
Use case 1: webhook or inbound api to receive events from external source with oauth2.0 protocol that will trigger event workflow.
Instead of native triggers which retrieve data, by polling at sometimes, clients interested to controll data ( limited json) that sends from their system to be received into.
For example, we give client an inbound api or webhook and oauth authorisation sever to get access token to send us data but that needs to restricted because we don’t want to give them full control over all pipedream resources or workflows.
For example, zapier has webhooks but they don’t have any authentication - simply anyone with the url can post data which does not fall under good security measures.
The options today are using one of the built-in authentication strategies I mentioned here or developing event sources in Pipedream, so we can use the integrated managed auth and register webhooks programmatically.