I seem to be overlooking something quite fundamental regarding authentication when trying to automate an API request in response to receiving a webhook notification, and any help would be appreciated.
I am comfortable creating a custom app to work with the Exact Online API in my browser through oauth2 authorisation code authentication. I have also set up webhooks so that Exact Online sends notifications to a URL which then receives, validates and saves the data, and this takes place without a browser connection or oauth2 authentication. However, I would like to run API queries on receipt of webhook notifications so that they run automatically and I do not know how to obtain the oauth2 authorisation code.
Webhook data is easily received (without validating) as follows:
http_response_code(200); // Tell Exact I have received the data
$input = file_get_contents("php://input");
I can easily capture the input data on a web page which does not have an open oauth2-authenticated channel to Exact Online, and the webhook notification takes place without opening a browser instance. Also, it is easy to open an oauth2-authenticated API link by sending
$authCodeRequest = "https://start.exactonline.co.uk/api/oauth2/auth?response_type=code&client_id=%-my-client-id-%7D&redirect_uri=my-site-redirect";
header('Location: ' . $authCodeRequest);
die('Request failed');
and using a $_GET['code'] to get the authorisation code to use in the request for access token and refresh token. But how can I run an API query on receipt of a webhook? - I cannot see how to allow for access between the page which is not open on the browser and Exact Online.
I have tried including an authorisation request on the page receiving the webhook:
$authCodeRequest = "https://start.exactonline.co.uk/api/oauth2/auth?response_type=code&client_id=%-my-client-id-%7D&redirect_uri=my-site-redirect";
header('Location: ' . $authCodeRequest);
die(fwrite('Request failed'));
This makes sense, because the page could not magically open in a random browser to request user login.
I also tried making the API page the url for receipt of webhook notifications, and then authenticating the page before running a webhook event. This also did not work, as the webhook notification would be sent to a different instance of the page.
Exact Online does not allow for user credentials authentication - only for implicit and authorisation code authentication - and both of these require login. How do I authenticate to allow the processing of webhooks when I receive a notification? Or, is there some online resource I can look at to understand what it is that I am missing?
