[Webhook] Doesn't pass basic auth credentials specified in url

Target system doesn’t gets basic auth credentials when passed in url, ie. https://mylogin:mypss@example.com

Target endpoint doesn’t get “Authorization” header.

This is correct.
Webhooks in Zammad use the signature token (if provided) which is supposed to be the proof that the sending system is authorized.

As far as I’m aware this is how webhooks work in general.

Thanks for your response.
I’m not an experienced webhook user but webhook is the HTTP request and basic auth is the standard way for authenticating HTTP requests.

I couldn’t find any RFC that says “webhook must allow basic auth” we there for did not implement that.
While the webhook technically is using https and thus an HTTP call, it still does behave differently on some parts.

HMAC SHA1 SIGNATURE TOKEN is being used as authentication part within Webhooks. This is, as far as I’m aware, industry standard.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.