We have created an automated mechanism for creating hubs in an ODA canvas as part of the AsyncAPI catalyst. This will be contributed to the ODA-CA implementation in the next weeks. Security wise ODA is also including OAuth and OpenIDConnect (non-TMF standards) as part of the Canvas Specification. IG1330 provides the first details for this approach and ODA-CA reference implementation should follow this year as well. if you are interested to move this work faster you are invited to join the ODA-CA team.
Original Message:
Sent: Sep 20, 2023 04:20
From: denis leclercq
Subject: /hub and Security
No offence intended, it was just a question on a position. Each open source project is a source of inspiration, not a war of war. I have always admired the work of TMForum and the relevance of functional models
https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/http-webhook.md#3-authorization
We implemented the hub exactly as defined in the TMForum and currently we note that the mechanics are not yet satisfactory in terms of subscription and client security constraints. When you use https://webhook.site/ for test everything is fluid, but in reality any hub creation requires a manual process and customer-specific configuration
My goal is only to find an interesting, satisfactory and realistic solution
Regards
Denis
------------------------------
denis leclercq
Orange
Original Message:
Sent: Sep 19, 2023 16:19
From: Koen Peeters
Subject: /hub and Security
Hi,
I am definitely not representing the official TM Forum view, the TM Forum hub mechanism seems to be much older than the founding date of Cloudevents project and the cloudevents subscription API isn't even published yet. The cloudsevents spec doesn't include any section regarding security. In that respect "reinventing a new mechanisme" when comparing with a incubator solution that is is an exageration.
Regards
------------------------------
Koen Peeters
OryxGateway FZ LLC
Original Message:
Sent: Sep 19, 2023 10:14
From: denis leclercq
Subject: /hub and Security
Another question, what is TMForum's position on using standards like CLoudEvents to manage webhooks rather than reinventing a new mechanism ?
Thx
Denis
------------------------------
denis leclercq
Orange
Original Message:
Sent: Sep 13, 2023 08:33
From: denis leclercq
Subject: /hub and Security
Hi,
The question of securing a webhook is indeed interesting.
A client can subscribe to the /hub by consuming the Open API, logically through an API Management system, via an SSL authenticated flow. (most of the time we don't consume API on the client network)
1. As Jan mentions, how does the "subscriber" inform the provider of the system of the procedure and the associated credentials that the provider must take into account during HTTP POST against the callback URL? Using HMAC would reverse control, and it is the provider who would provide a secret upon subscription
2. How do we maintain flexibility when using webhook? To make an analogy, when you subscribe to a "newsletter" the issuer does not manage an authentication provisioning process with each of the receivers. Using HMAC, the provider would give the subscriber the opportunity to verify the authenticity of the message
An interesting link on the subject:
https://hookdeck.com/webhooks/guides/webhooks-security-checklist#security-threats-and-solution-recap
Denis
------------------------------
denis leclercq
Orange
Original Message:
Sent: Sep 13, 2023 05:05
From: Dave Milham
Subject: /hub and Security
Denis
Very interesting question that stimulated a lot of discussion amongst some of the ODA Security and privacy team members. The team meets Wednesday and at 13:00 CET . today 13th might be rather short notice for you . Next week is DTW so we will not meet next week but we could schedule for the 27th Sept . Iam planning to suggest on today's ODA Sec call that we post on an ODA security a working page on some ideas that we exchanged, Note first step is to assess the threats and risks then establish some patterns and mechanism for addressing those threats and your proposal on HMAC stimulated a lot of discussion
------------------------------
Dave Milham
TM Forum, Chief Architect
Original Message:
Sent: Sep 11, 2023 11:36
From: denis leclercq
Subject: /hub and Security
Hi all,
I would like to know if there are internals discussions around the security of the /hub callback url. Today this URL must be accessible and public on the web. I haven't seen any mechanics that would secure these webhooks. Is there any consideration for implementing an hmac or any advice in Guidelines? (HMAC - Wikipédia)
Thanks in advance
Denis
------------------------------
denis leclercq
Orange
------------------------------