Security Event Tokens

HTTP headers convey information about a Webhooks v3 request. But what does the request itself convey? We’re glad you asked that question; it conveys something similar to this:

eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFkYzEyMDczNjk5YzY4YzFkYWVlNmM5YTEwMGUyYjQzZmViZGNkOTIifQ.eyJpc3MiOiJBa2FtYWkgSWRlbnRpdHkgQ2xvdWQiLCJpYXQiOjE1NjM0ODg2MzEsImp0aSI6ImI3MDA0NmJkLTQ0YzctNDU3NS1iMWEyLTliODU1NmQxZjA0MCIsImF1ZCI6Imh0dHBzOi8vZXhhbXBsZS5jb20vcGF0aC90by9lbmRwb2ludCIsInR4biI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCIsInRvZSI6MTU1OTM3MjQwMCwiZXZlbnRzIjp7InVzZXJDcmVkZW50aWFsVXBkYXRlZCI6eyJjYXB0dXJlQXBwbGljYXRpb25JZCI6Inp6eW45Z3k5cjh4ZHk1emtydTR5NTRzeWs2IiwiY2FwdHVyZUNsaWVudElkIjoiZWxycm5pdXg1MWEzbnJoZnd6a2x2ejN0NDZsYjVuMm0iLCJlbnRpdHlUeXBlIjoidXNlciIsImdsb2JhbFN1YiI6ImNhcHR1cmUtdjE6Ly91cy5qYW5yYWluY2FwdHVyZS5jb20venp5bjlneTlyOHhkeTV6a3J1NHk1NHN5azYvdXNlci82YjAwNGJjNS0xNzljLTQ1YzItODE1ZC0zMWIwNjE2OTM3MWQiLCJzdWIiOiI2YjAwNGJjNS0xNzljLTQ1YzItODE1ZC0zMWIwNjE2OTM3MWQiLCJjcmVkZW50aWFsVHlwZSI6InBhc3N3b3JkIiwiaWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAifX19.IvkrGFE3GsK3eTLO_QvdFKqg4ktJ2sDToHNghMfGUlWNzRLMIpmgsWZXzLv0QMiyatLva7mEshTlfyOje-S_Y-nUniM9hgHgNg-R0Az9hs2mu_ORcXEFo9AHayhjvW1bKHcmTI7dlw2fqFl-2VBS594LQspDYfZ4WJ7hexq7OwACB8qp0oVskx_fc8mHQfy4YnW5GF4XlTcl6CnjYU81qY4hejcnkkg8olbq_ePUnpTpW8-YO5cPW9nW8KlivRJGWJbEXnffSAd5xwlViJm6iTde2QQVv9pi_Z6LnrxPQotoGhJOvk_wkwANsWC9TwDNnlBTiLePCFLU85haWanXcg

Before you schedule an appointment with your eye doctor, that’s how the payload is supposed to look. That’s because payloads are encoded before being sent. 

That also means that payloads need to be decoded after they’ve been received; if they aren’t, then all your database records are going to look like the sample payload shown above. Fortunately, decoding a security event token is pretty easy; that’s because tokens are encoded and not encrypted. Because of that, any application capable of decoding Base64 can decode a webhooks notification, with no password or secret or any other form of authentication required. For example, if you have a Mac you can use Terminal and the base64 app to decode tokens. Here’s the syntax for decoding the token header:

echo eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFkYzEyMDczNjk5YzY4YzFkYWVlNm
M5YTEwMGUyYjQzZmViZGNkOTIifQ | base64 --decode

And here’s the decoded header:

{"alg":"RS256","kid":"1dc12073699c68c1daee6c9a100e2b43febdcd92"

On a Windows computer, you can use Windows PowerShell to achieve the exact same result:

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(' eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFkYzEyMDczNjk5YzY4YzFkYWVlNmM5
YTEwMGUyYjQzZmViZGNkOTIifQ'))

If you’re wondering about security, well, encoding is not intended to provide security: encoding simply ensures that all Identity Cloud security event tokens use the same character encoding. That eliminates the problems that could arise if, say, the webhooks server is using UTF-8 encoding while the listener endpoint is using ISO 8859-1 encoding.

So, yes, someone could decode one of your security event tokens, although it’s hard to see what they would gain by doing so. After all, no personally identifiable information is included in a Webhooks v3 security event token: although you might see a user UUID such as 6b004bc5-179c-45c2-815d-31b06169371d you will never see a user’s name, email address, phone number, or anything else that might give you some insight into who that user is. 

On a similar note, when Webhooks v3 reports a change made in the Identity Cloud, the security event token indicates what was changed (i.e., a user profile attribute or a password) but doesn't report either the previous value or the new value for that item. For example, consider the following notification, which indicates that a user has changed his or her email address:

  "events": {
   "entityUpdated": {
      "attributes": [
          "email"
          ],
      "captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6",
      "captureClientId": "elrrniux51a3nrhfwzklvz3t46lb5n2m",
      "entityType": "user",
      "globalSub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d",
      "sub": "6b004bc5-179c-45c2-815d-31b06169371d",
     "id": "00000000-0000-0000-0000-000000000000"
   }
 }

As you can see, the notification tells you that a user account was updated (the entityUpdated event type) and that the attribute changed was the email attribute (which stores the user’s email address). However, neither the user’s old email address nor the user’s new email address is included.

By the way, a fully decoded SET looks something like this:

{
  "alg": "RS256",
  "kid": "1dc12073699c68c1daee6c9a100e2b43febdcd92"
}

{
  "iss": "Akamai Identity Cloud",
  "iat": 1563488631,
  "jti": "b70046bd-44c7-4575-b1a2-9b8556d1f040",
  "aud": "https://example.com/path/to/endpoint",
  "txn": "00000000-0000-0000-0000-000000000000",
  "toe": 1559372400,
  "events": {
      "entityUpdated": {
        "attributes": [
          "email"
          ],      "captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6",
      "captureClientId": "elrrniux51a3nrhfwzklvz3t46lb5n2m",
      "entityType": "user",
      "globalSub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d",
      "sub": "6b004bc5-179c-45c2-815d-31b06169371d",
      "id": "00000000-0000-0000-0000-000000000000"

    }
  }
}
IvkrGFE3GsK3eTLO_QvdFKqg4ktJ2sDToHNghMfGUlWNzRLMIpmgsWZXzLv0QMiyatLva7mEshTlfyOje
-S_Y-nUniM9hgHgNg-R0Az9hs2mu_ORcXEFo9AHayhjvW1bKHcmTI7dlw2fqFl2VBS594LQspDYfZ4W
J7hexq7OwACB8qp0oVskx_fc8mHQfy4YnW5GF4XlTcl6CnjYU81qY4hejcnkkg8olbq_ePUnpTpW8-YO5
cPW9nW8KlivRJGWJbEXnffSAd5xwlViJm6iTde2QQVv9pi_Z6LnrxPQotoGhJOvk_wkwANsWC9TwDNn
lBTiLePCFLU85haWanXcg

Again, the color-coding is there for a reason: the colors delineate the three sections of a security event token. Those sections include: