How to use Webhooks with Okta
Connecting and sharing data across disparate systems is a critical part of modern-day software development. Nearly every application needs to communicate and share data across many services, both internally and externally. Businesses often have to connect internally built apps to external services such as Twilio for customer notifications, Stripe for payment processing, and Okta for customer authentication. To do this effectively, businesses need a scalable and efficient way to communicate with these various services. That’s where APIs and webhooks come into play.
Both APIs and webhooks act as a conduit to share data among separate applications, or to integrate 3rd-party services into your app. While APIs and webhooks are similar, they differ significantly in the way they make requests, so they have very different use cases.
What is a webhook, and how does it differ from an API?
A webhook is an HTTP callback configured to listen for a defined event. When it detects that event, it responds automatically and instantly. Webhook requests are reactive; they occur only when a specified event triggers the response.
By contrast, an API proactively initiates a request for data. For an API to achieve the same functionality of a webhook, you would need to poll for data updates constantly to replicate the instantaneous nature of a webhook. Said more succinctly: webhooks are far better than APIs for real-time data updates.
As events happen in system A, HTTP POST (HTTP callbacks) requests are sent to system B. These POST requests automatically notify system B of a change in system A, enabling system B to ingest any potential data (JSON object) updates and react to the events in system A.
Building and managing authentication, authorization, and user management is hard. There are complexities that span security, scalability, and user-experience perspectives. That’s why we make embedding authentication and authorization into your app simple and fast with easy-to-use widgets, APIs, and SDKs.
Okta customers have countless use cases and integrations. What we’ve learned overtime is that every person, every technology, and every identity journey is different, and that requirements are constantly changing. To solve for an unlimited number of use cases, we needed to build more flexibility and customization into Okta—that’s why we built Oka Hooks.
There are many 3rd-party systems and apps that you may want to integrate with during the core processes of authenticating a user, registering their identity, and giving them access to your app, and this is where Okta Hooks can help. There are two types you need to know: Inline Hooks and Event Hooks.
Inline Hooks help developers pause an Okta flow to add information or make a decision. Through an HTTP request, a non-Okta source can modify a running request within Okta and infuse additional information. As Okta processes like registering, authenticating, or importing users are occurring, Okta can call out to your custom code, allowing you to perform additional logic. Okta then waits for the callback response and, based on that response, you can define which actions Okta should take.
Inline Hooks, an example
As a user is stepping through your registration, Okta calls out to your custom code so you can perform additional important activities within your process. For instance, you may want to check a user’s email against a database of known, verified emails, and based on the callback response, either create the record and move the user forward or deny registration.
Or, before completing the registration process, you may want to call out to an external service and augment the Okta user profile with attributes from that system. Or you could do some identity proofing with an external service like Experian, and based on the callback response, either create the user record or deny the registration all together. The key point here is that with an inline hook, Okta will wait for the callback before proceeding.
Event Hooks notify downstream services when an event of interest occurs in Okta, via an HTTP POST. This allows you to register and listen for specific events happening within Okta, and once triggered, Okta automatically and instantly sends a notification to your server via an HTTP POST.
Event Hooks, an example
With Okta Event Hooks, you can extend out to other systems and perform some action based on something that happened in Okta. For example, after a user makes a purchase, you could add that person to a “high value customer group” in Okta. That could then kick off an Okta event that the Hook will listen for. When that event occurs, a notification can be sent to your server to perform some custom logic, which could be to tell Marketo to add this user to an email drip campaign for “high value customers.”
Using Inline Hooks and Event Hooks together
Let's now take a look at how to use Inline Hooks and Event Hooks together to accomplish a comprehensive registration flow.
As you can see above, the user starts off by initiating a registration and completing a standard set of simple questions. Once the user completes the questions and clicks the registration call to action, an Event Hook sends a notification to Google Analytics to capture conversion analytics. Next, an Inline Hook kicks off a process to perform identity proofing on the user via any 3rd-party identity proofing service (such as Experian).
Here, Okta waits for the callback, and based on the response, can either create the user, deny registration based on malignant information, or require the user to provide additional information to verify their identity. If the user is successfully verified through Experian, Okta creates the user profile and completes the registration.
Next, an Inline Hook calls out to a CRM system to create a CRM user record. Okta again waits for the callback that contains the CRM userID, which is then passed to a data warehouse through an Event Hook.
Lastly, a registration confirmation email is sent to the user, and an Event Hook sends a notification to Marketo to add the user to an email nurture campaign.
With a relatively small amount of code, Okta Hooks provide developers with the power to alter their Okta policies and behaviors, in order to enjoy customized integrations. They also give developers the ability to advance, secure, and customize their identity layer. This also helps them, along with their partners and customers, develop purpose-built logic to extend the Okta Identity Cloud in exciting new ways.