How are webhooks protected between Azure DevOps and Exalate?

    This article describes how the integration between Azure DevOps and the Exalate app is secured.

    Azure DevOps instance is configured such that each time a work item is created/updated/deleted, it fires a webhook towards Exalate.

    Every time you create a new connection Exalate checks if necessary webhooks are available and create them in case they're not available.

    After that on every create/update/delete event for the work item Exalate checks if the correct webhook is used.

    You can find Azure DevOps webhooks under the Project Settings - Service hooks in the project configuration.

    Webhooks are secured via basic authentication:

    user id:  idalko

     password: is calculated from the following parameters

    • exalate URL
    • play.crypto.secret
    • Organization name and project ID
    • additional environmental parameter

    As the password is calculated from invariable data, there is no need to store the password.

    What happens if the password is wrong?

    If the password is wrong, the webhook fails to be fired. The following message will appear on the Azure DevOps side

    For connections created before 5.0.10 version

    Exalate automatically creates the webhook whenever you create a connection. Azure DevOps does not allow to update webhooks set with basic authentication as it is considered as a security vulnerability.

    If you've created connections on an older app version and you want to use webhook authentication you need to submit a support request.