2

I have an Event Grid which is used for publishing events. I have a Web-Hook based subscriber which will be listening to the event. The webhook is hosted on Azure App Service and is protected by an AAD App. In this scenario will Event Grid be able to publish an event to a Web endpoint which is protected by AAD? My event grid topic and the web app are in the same subscription.

Pratik Bhattacharya
  • 3,596
  • 2
  • 32
  • 60
  • have a look at https://learn.microsoft.com/en-us/azure/event-grid/security-authentication – Roman Kiss Nov 21 '18 at 13:50
  • you can subscribe an access token in the query parameter of the webhook url – Roman Kiss Nov 21 '18 at 13:53
  • @RomanKiss but how will the event grid generate the access token. Plus the bearer token is sent as an authorization header – Pratik Bhattacharya Nov 21 '18 at 14:03
  • beside that, the webhook handler must handle also a message validation, so the bearer token passed via a query parameter can be used within the webhook for its authorization, that is the present design of the event handlers – Roman Kiss Nov 21 '18 at 14:43
  • @RomanKiss, but how will the Event Grid generate the Bearer token before sending the event to the subscriber? Is there a way how some custom code (like AAD token generation) can be done by Event Grid? – Pratik Bhattacharya Nov 21 '18 at 14:49
  • you have more options - workarrounds, for example: creating a subscription using a REST API, using an azure function (EventGridTrigger) for integration with your webhook, etc. btw. on the domain topics side there is a preview: https://learn.microsoft.com/mt-mt/azure/event-grid/event-domains – Roman Kiss Nov 21 '18 at 15:00
  • Is it an option for you to use logic app or function app ?? it is pretty straight forward to use these services with eventgrid – Thomas Nov 23 '18 at 04:46
  • @Thomas, our clients may not want u to connect to the endpoint directly. – Pratik Bhattacharya Nov 25 '18 at 14:40
  • WHat do you mean ? how would I connect to your logic app or your function app ??? – Thomas Nov 26 '18 at 08:00
  • For logic app and function you already have the trigger. And the clients will have to build their logic apps and functions apps to consume the events that I publish to the topic. The ask here is that the subscribers are just a webhook which is protected by AAD. – Pratik Bhattacharya Nov 26 '18 at 09:59

1 Answers1

2

According to your description, you want to subscribe a topic of Event Grid via webhook hosted on Azure App Service which be protected by Azure AD.

Per my experience, there are two ways to realize it.

  1. Due to access an url endpoint protected by AAD that be required an access token via AAD authentication, but there is no ablity to do the operation in programming on Event Grid. So as @Roman Kiss said, a workaround way is to create a proxy-like service to get the authorization token to access your webhook, such as using Azure Function App.

  2. However, the other way is to change your app service code to allow anonymous accessing. For example, adding [AllowAnonymous] on your controller method if using ASP.NET, please see the Azure Sample code.

hope it helps.

Peter Pan
  • 23,476
  • 4
  • 25
  • 43
  • Thanks Peter. Are you aware of as to whether this functionality is in the roadmap of the Azure Event Grid team? – Pratik Bhattacharya Nov 22 '18 at 13:42
  • @PratikBhattacharya the following is a link for feedback AEG team: https://feedback.azure.com/forums/909934-azure-event-grid – Roman Kiss Nov 22 '18 at 17:07
  • @PratikBhattacharya Not sure, and keep attention to events on [Azure updates](https://azure.microsoft.com/en-us/updates/?product=event-grid). – Peter Pan Nov 23 '18 at 01:10