Endpoint validation
We provide support for endpoint validation, when implementing your own custom web hook. This validation allows to secure your web hook with a secret key (taken from the query string or an HTTP header).
This is needed, because Azure Event Grid is send a validation request to a newly configured web hook, in order to prevent people leveraging Azure Event Grid to bring down a 3rd party API.
#
InstallationThe features described here require the following package:
PM> Install-Package Arcus.EventGrid.WebApi.Security
#
UsageThe implementation we provide, is echoing back the validation key on your operation, in order to have the validation by Event Grid out of the box.
#
Enforce authorization globallyWe created the EventGridAuthorizationFilter
MVC filter that will secure the endpoint and handle the handshake.
using Arcus.EventGrid.WebApi.Security;using Microsoft.Extensions.DependencyInjection;
public class Startup{ public void ConfigureService(IServiceCollection services) { // Looks for the 'x-api-key' header in the HTTP request and tries to match it with the secret retrieved in the secret store with the name 'MySecret'. services.AddMvc(options => options.Filters.AddEventGridAuthorization(HttpRequestProperty.Header, "x-api-key", "MySecret"))); }}
For this setup to work, an Arcus secret store is required as the provided secret name (in this case "MySecret"
) will be looked up.
See our offical documentation for more information about setting this up.
#
ConfigurationThe EventGridAuthorizationFilter
has some additional consumer-configurable options to influence the behavior of the authorization.
using Arcus.EventGrid.WebApi.Security;using Microsoft.Extensions.DependencyInjection;
public class Startup{ public void ConfigureService(IServiceCollection services) { // Looks for the 'x-api-key' header in the HTTP request and tries to match it with the secret retrieved in the secret store with the name 'MySecret'. services.AddMvc(options => options.Filters.AddEventGridAuthorization(HttpRequestProperty.Header, "x-api-key", "MySecret", options => { // Indicates that the Azure Event Grid authorization should emit security events during the authorization of the request (default: `false`). options.EmitSecurityEvents = true; }))); }}
#
Enforce authorization per controller or operationWe created the EventGridAuthorizationAttribute
attribute that will secure the endpoint and handle the handshake.
The attribute can be placed on both the controller as the operation.
using Arcus.EventGrid.WebApi.Security;using Microsoft.AspNetCore.Mvc;
[Route("events")][ApiController]public class EventController : ControllerBase{ // Looks for the 'x-api-key' header in the HTTP request and tries to match it with the secret retrieved in the secret store with the name 'MySecret'. [EventGridAuthorization(HttpRequestProperty.Header, "x-api-key", "MySecret")] public IHttpActionResult Get() { return Ok(); }}
For this setup to work, an Arcus secret store is required as the provided secret name (in this case "MySecret"
) will be looked up.
See our offical documentation for more information about setting this up.
#
ConfigurationThe EventGridAuthorizationAttribute
attribute has some additional consumer-configurable options to influence the behavior of the authorization.
// Indicates that the Azure Event Grid authorization should emit security events during the authorization of the request (default: `false`).[EventGridAuthorization(..., EmitSecurityEvents = true)]