I'm working on a project that integrates with a third-party service via API, and the third-party uses callbacks to update us on the status of the operations being performed. These callbacks can be hit up to a day after the original method call as we're dealing with complex financial operations.
I need a way to authenticate incoming callbacks from the third-party service, but their portal does not support auth or any custom params other than the URL. Furthermore, the callback URL is defined through a GUI portal that they've provided, which means I can't dynamically pass a token in the callback URL and check for it.
The only option that I'm currently aware of is creating an isolated microservice that whitelist the third party's domain, accepts their calls, appends the auth, and forwards the newly-authenticated calls to our server. We use Laravel for our backend, so I was thinking of deploying a Lumen microservice to handle this.
- What is the best design for authenticating callbacks like this?
- Is there a specific technology that is useful to this use case? E.g. would a serverless function be well-suited for this?
-
1Do you have to trust the contents of the callback, or could you take just the relevant ID from the callback and issue a GET request against their API to see the status?Jory Geerts– Jory Geerts06/04/2019 11:51:20Commented Jun 4, 2019 at 11:51
-
They provide GET endpoints that I could hit again to get the data myself without trusting the callback contents. Do you think that would be cleaner?Omar Rida– Omar Rida06/04/2019 11:59:21Commented Jun 4, 2019 at 11:59
-
Depends on why you need the callback. Is your system required to take some action when the job is complete? Is it a requirement that such action be timely? If not you could just poll once a day or something like that and ignore the callbacks entirely.John Wu– John Wu06/04/2019 22:27:32Commented Jun 4, 2019 at 22:27