You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/event-grid/security-authentication.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.author: babanisa
15
15
This article provides information on the following scenarios:
16
16
17
17
- Authenticate clients that publish events to Azure Event Grid topics using Shared Access Signature (SAS) or key.
18
-
- Secure your webhook endpoint using Azure Active Directory (Azure AD) to authenticate Event Grid to **deliver** events to the endpoint.
18
+
- Secure your webhook endpoint used to receive events from Azure Event Grid using Azure Active Directory (AAD) or a shared secret.
19
19
20
20
## Authenticate publishing clients using SAS or key
21
21
Custom topics use either Shared Access Signature (SAS) or key authentication. We recommend SAS, but key authentication provides simple programming, and is compatible with many existing webhook publishers.
@@ -79,12 +79,12 @@ All events or data written to disk by the Event Grid service is encrypted by a M
79
79
The following sections describe how to authenticate event delivery to webhook endpoints. You need to use a validation handshake mechanism irrespective of the method you use. See [Webhook event delivery](webhook-event-delivery.md) for details.
80
80
81
81
### Using Azure Active Directory (Azure AD)
82
-
You can secure your webhook endpoint by using Azure Active Directory (Azure AD) to authenticate and authorize Event Grid to deliver events to your endpoints. You'll need to create an Azure AD Application, create a role and service principle in your application authorizing Event Grid, and configure the event subscription to use the Azure AD Application. [Learn how to configure Azure Active Directory with Event Grid](secure-webhook-delivery.md).
82
+
You can secure your webhook endpoint used to receive events from event grid by using Azure Active Directory (Azure AD). You'll need to create an Azure AD Application, create a role and service principle in your application authorizing Event Grid, and configure the event subscription to use the Azure AD Application. [Learn how to configure Azure Active Directory with Event Grid](secure-webhook-delivery.md).
83
83
84
84
### Using client secret as a query parameter
85
-
You can secure your webhook endpoint by adding query parameters to the webhook URL when creating an Event Subscription. Set one of these query parameters to be a client secret such as an [access token](https://en.wikipedia.org/wiki/Access_token) or a shared secret. The webhook can use the secret to recognize the event is coming from Event Grid with valid permissions. Event Grid will include these query parameters in every event delivery to the webhook. If the client secret is updated, event subscription also needs to be updated. To avoid delivery failures during this secret rotation, make the webhook accept both old and new secrets for a limited duration.
85
+
You can also secure your webhook endpoint by adding query parameters to the webhook destination URL specified as part of creating an Event Subscription. Set one of the query parameters to be a client secret such as an [access token](https://en.wikipedia.org/wiki/Access_token) or a shared secret. Event Grid service includes all the query parameters in every event delivery request to the webhook. The webhook service can retrieve and validate the secret. If the client secret is updated, event subscription also needs to be updated. To avoid delivery failures during this secret rotation, make the webhook accept both old and new secrets for a limited duration before updating the event subscription with new secret.
86
86
87
-
As query parameters could contain client secrets, they are handled with extra care. They are stored as encrypted and not accessible to service operators. They are not logged as part of the service logs/traces. When editing the Event Subscription, the query parameters aren't displayed or returned unless the[--include-full-endpoint-url](https://docs.microsoft.com/cli/azure/eventgrid/event-subscription?view=azure-cli-latest#az-eventgrid-event-subscription-show) parameter is used in Azure [CLI](https://docs.microsoft.com/cli/azure?view=azure-cli-latest).
87
+
As query parameters could contain client secrets, they are handled with extra care. They are stored as encrypted and not accessible to service operators. They are not logged as part of the service logs/traces. When retrieving the Event Subscription properties, destination query parameters aren't returned by default. For example:[--include-full-endpoint-url](https://docs.microsoft.com/cli/azure/eventgrid/event-subscription?view=azure-cli-latest#az-eventgrid-event-subscription-show) parameter is to be used in Azure [CLI](https://docs.microsoft.com/cli/azure?view=azure-cli-latest).
88
88
89
89
For more information on delivering events to webhooks, see [Webhook event delivery](webhook-event-delivery.md)
0 commit comments