 Hi everyone, welcome to the Octa developer stream. I'm Brian Demers and with me is Micah Silverman and Heather Downing Hey It's work today. We're gonna talk about hooks and web hooks and all that fun stuff, right? Yes, and why we Want to play with them in the first place and again if you're following us on Twitter, I'm at core line Go ahead Micah. What is your Twitter name? a fit nerd Are you a little this fool you? And I'm Brian Demers Nice nice. All right. So Micah When I first came to octa a few years ago I remember we had a conversation about the cool things that you can do with automation and some like the different logs that octa will give you as a developer and I Remember meeting you at octane and we were talking about this cool way that you kind of folded in octa hooks into like one of our Games to win a t-shirt. All right. Can you start off with what the heck? I'm talking about in a much better way Yeah, so Awesome awesome intro and it's a great place to start with octa branding versus The rest of the world so hooks are web hooks There's no difference and we didn't invent it. We do something awesome with web hooks I think but we decided to call them hooks because it's catchy and it's One syllable and it distinguishes us but their web hooks and web hooks have been around for a while and Just you know top-level basic generally speaking a Web hook it just allows another service to call out to some endpoint that you've defined and Do some functionality and respond to that service. So it's a way to Extend an existing service in new and unique ways maybe mash up some APIs in ways they were never intended to be and do some pretty cool stuff and As much as I love octa, I thought I'd start out with like a super simple example from heroku because heroku makes it really easy to create add-ons and If you're not familiar with heroku Heroku is a is an app hosting platform and they have this giant library of add-ons and Anybody can go and create a heroku add-on and heroku calls them add-ons But the mechanism behind the scenes are web hooks. So if you've ever Deployed an app to heroku that had a requirement or or a dependency on postgres you go to the Heroku add-on Bizarre and you just add in postgres behind the scenes Heroku is making a request to some other service to go and provision postgres So I thought I'd start there because I wrote the octa heroku add-on and I got I got very familiar with Heroku's whole Whole system of doing that So I'm gonna share my screen. I'll make everything big here, but and this isn't kind of the main event This is where I just define this very simple add-on called octa hero cootest Fun fact you can't have the word heroku in your add-on. So Of course, I I said challenge accepted and so now it's hero coo But really what's happening here is I have this Definition in a manifest file that tells heroku where to call when I go to add This add-on to an app. So I have this app created. It's actually completely empty There's no code deployed at all, but I'm saying you know what I'd like to provision this add-on called octa heroku test for this app and Let me just make sure I have Breakpoints set here. This is about as simple a Java app Spring app as you can get it's gonna Receive this heroku provision request and all I'm doing here is writing out to Pretty printing that JSON request but I've preconfigured Heroku to To reach out to my service now. I'm sitting on my home Wi-Fi network behind my Router and firewall. So how is heroku gonna reach my little locally running app here? Well, there's this awesome service that you may or may not be familiar with called Engrock Engrock drills holes into your local environment so that you can test services From the outside in so I could give this URL to somebody and say hey test out this great program I wrote and it's a publicly routable domain that you get out of it and This is what allows us so I've configured heroku to hit this endpoint And so now I can test out this service without having to deploy it or set it up anywhere or anything like that So when I go heroku add-ons create Heroku is going to reach out and and hit this endpoint And I'll just set a break point here so that we can see that it's actually doing that So here we are we're at my break point I'm just gonna let it go and if we look at the console output This is the request that heroku sent in So we want to talk about like what or what makes a webhook a webhook. It's a service that you run That another service can call and can kind of ingest These restful requests so it sends in things like the name This is a name that heroku allocated. It's got a unique uuid that it may need to use later Importantly, it's got this callback URL because if you're provisioning a service like octa It may take it may take more than two seconds. And so this way The provisioning can be completely async and when it's done The add-on can use this unique callback to tell heroku that the provisioning is done and make it available to your app And that's exactly kind of the mode that I operated in here And so our output is it says it's being created in the app in the background the app will restart when it's complete We can check its progress Now this is heroku's system to show me the progress it just says that it's creating and in fact It's gonna say it's creating forever because I never created the code to to tell it that it was done and even if I go to Heroku interface here If you notice over here, it shows that I've added this add-on to this app and over here You get the three, you know like in progress dots and it's gonna stay that way indefinitely Actually for up to 12 hours. So heroku will wait 12 hours before it finally gives up and says provisioning failed The important bit here is that heroku called my service That's a webhook I can go ahead and delete it and When I delete it if I can find the right one destroy so add-ons destroy I Should have an endpoint that handles that deletion because maybe I need to delete something for my database So heroku attempted to reach out to my service again attempted to make a webhook It sent this delete request to this endpoint and it just resulted in a 404 because I didn't implement that but as far as heroku's concern it's done its job and It's no longer It's no longer associated with this app. So now I don't have any any add-ons So heroku is a great example of a webhook in general you know just kind of like the general mode of operation of webhooks how they work And and you know, hopefully that gives kind of an overview of like what is a webhook what makes something a webhook It's a service that you're running that That some other service is reaching out to sending in a restful request and you give a response that is something that it expects and They you know all the services that support webhooks will have Documentation and parameters around is it is it synchronous or asynchronous? How long can you wait to respond? You know how to handle edge cases and all that good stuff Yeah, I thought it'd be a good place to start I ran into this a little bit when I was working on some of the voice work so both Google and Alexa Tend to want to be configured with hooks that way So I would say that it's interesting to try and debug right if you don't think about the process With whether or not it's synchronous like that's if you can definitely run into some debug problems So what did octa do that? I should care Like what should I care about? Yeah, so you froze up for a second, but I think I got the question like what it octa do that that we should care about Great questions one thing I do want to kind of you know give a shout out for n grok because you mentioned debugging just in general Let me share my screen again because n grok has this n grok has this great interface to Be able to monitor the different kinds of requests that are coming by and and it gives you all kinds of detailed Information if you I know I know it's this way in spring boot But every like every three months or so I have to remember like how do I do verbose? output of incoming HTTP request and then I do like a half hour of research and I remember what? You know XML voodoo. I have to do to get all that log output Maybe it's that way in other frameworks. I don't know but If you're using n grok and it's sitting in between you can actually see all the the request The the body of the request the headers that it sent over you can see the off the the basic authorization that that Heroku sent to my app and so I had to configure my app to be able to handle that basic authentic authorization so Shout out again to to n grok for making it so easy to Debug stuff locally from the outside and to capture everything that's going back and forth And another bonus it does the TLS handling for you, too, right? So if you have You know an application running on you know port 80 on your machine and grok can be reached over HTTPS Yeah, that's right and and in this particular case I have a paid account thanks to octa And so I get to have a fixed subdomain which is awesome, but even if you don't have a paid account I think by default it gives you a random subdomain and they have a wild card cert So it'll still be protected by SSL and I think even on the free tier. I think you get something like four or six hours of Having this endpoint up and addressable and then after that you just have to restart and grok and you get a new subdomain So it's pretty it's pretty generous in like how you can use it even even for free So Heather asked the question about stuff that octa's done and this has become like over the course of the last Year, this is something that we announced that octane 2019 so in April of 2019 I guess So we're coming up on like a year and a half of it going from beta to early access and now to full production, but We have these different categories of web hooks in octa that Some of which are async and some of which are sync synchronous the the synchronous ones are things that you can do to You know to impact various types of Workflows in your interaction with octa So I guess it's worth taking us a quick step back and saying octa is an identity management platform And so anything that you're concerned with managing users Authenticating and authorizing users you offload that to octa so that you don't have to reinvent that wheel And what I have up here is just some of our Documentations the first the first one that I thought I'd show and then maybe we could talk about a little bit It's a very common kind of use case where very few of our customers even even like People who are doing hobby projects with octa very few of them come with like a totally green field situation They have you know, they've built something locally. Maybe they were using sequel server and on the back end or post-gres Hopefully they were you know storing their passwords and some protected way But now they want to you migrate an existing user base to octa And the way that we used to have to do that is we would have to run We would have to rely on our customers to do all the heavy lifting to migrate those users If they wanted to run alongside their current auth system so the typical scenario would be you have like a shim application that when you go to authenticate gathers those credentials that you just put in checks it against your legacy system if you get the thumbs up it then uses the Octa API to create that user and and set their password and we were able to use We were able to use web hooks to kind of streamline that whole process and it's a little this request here That's on my screen right now. It's a little arcane But the important thing here is that in the credentials part of the JSON rather than actually setting a password We're telling it that we're going to set it up as a default import hook and What that means is that we can create a user that's ready to be imported and then all we need you to do is To write some code that checks against that legacy system and gives a thumbs up or a thumbs down But octa will now automatically migrate that user that is if your service your web hook gives the thumbs up octa will take that plain text password and store it on the back end safely and and You know protected with with b crypt ashes and all the stuff that we do on the back end without you having to Worry about like provisioning and setting that user manually So I can actually copy this as is Because I cheated a little and set some of these variables in advance So also so that I wouldn't have to show you my my API token But all I'm gonna on you're no fun Right all I'm gonna do is create this user So I'm creating a new user in octa and typically let's say you have 10,000 users You would iterate over your database and you would create the users In octa using the data that you already have just without credentials All right, and I forgot that I was using curl But the important thing here is that the provider type has been set as as import So this is now a fully created active user, but this user can't yet Log in in a vacuum Because if we go to this Octa org that I have I created this pass this password import inline hook and You can see that octa is gonna reach out to my endpoint. This is how web hooks work So octa is gonna make a request of my my endpoint and And then it's up to me to say yes, that's the right password or no, that's not the right password and How did you get to that screen on the dashboard? Oh good point. So if you go to workflow and inline hooks You can then start adding inline hooks and you can see the different ones that we have in this case I did a password import hook and You fill out some form information like the url You can give it octa will send a basic authentication header Just for the purposes of demonstration. I left it blank not a great idea in real life and So then octa Whenever and this is a global setting right so now when any user goes to authenticate that is in that imported state It's gonna use this hook and this is kind of a subtle and important thing here you might think that oh man my you know my my Password import web hook is gonna get hammered by octa. It's only for users that haven't already migrated. So once the web hook gives the thumbs up and says that's a good password that user will transition From being provider type import to provider type octa and once it's provider type octa Then my web hook no longer gets called for that particular user So if I have 10,000 users and 9900 of them are already migrated It's only ever gonna call my web hook for that for those last 100 users that still have to migrate So now let's just get set up and configured forever Like what happens if I got my mother who doesn't want to log in but once a year to things like how yeah Yeah, it's a great question typically first of all, you know The the unsatisfying answer in our industry always is it depends but The the answer is that typically our customers will run like a 60-day or a 90-day program And at the end of which some high percentage like let's say 90% of their active users have migrated by that point For those users that are still in this import state You use the octa API to say give me all the users that are in this provider import and I'm gonna Initiate a password reset on each of those users and so now they're gonna get an email Saying hey, it's time to change your password and some percentage of those users will go and change their password you know with these kind of migration programs you don't you you typically don't catch every last user because some of them are inactive but It's the way to get like the vast majority within that 60 or 90 days will migrate and then some percentage of the remainder will migrate over time You know when they get that that email that says hey, it's time to change your password right and the the idea here too is that you're you're Taking the load off your support staff by not Resetting everybody's password right you're allowing them to log in from the user's perspective. It's it's it's you know It just works the way it did yesterday But you know some subset of users, you know, whoever doesn't love that's right Yeah, so I have an incognito window here now if I log in as It's other user that already has a password set in octa remember the password my my Password hook never gets hit that user is already an octa user not an import user However, if I log in as that user that I just created that's in that That's set to type import Right now I'm gonna type in anything here Octa doesn't know yet, but what octa is gonna do is it's gonna hit my password hook and Now it just passed in this request and I for those of you that are that are Java people if you're not Please don't hold it against me But for those of you that are Java people it's really easy to convert a JSON object to a map of string Object and you can have it nested and you know be as deep as it needs to it's kind of the the poor man's way to Start with model objects, but I can take a look at this request that's coming in and I can see that among the thing that's passing me all kinds of metadata event IDs and stuff like that and then Within that it's got this data and that data has Hold on. I got to keep digging into the layers here Hold on. I'm gonna turn off the So I find the right place here why while you're looking I do want to point out to that we do have a Java SDK around this But this this sort of shows more of a JSON view But so if you are a job developer you can check out our SDK for that which wraps it up in more of a DSL But yeah, that's right. You don't have to demonstration purposes. This is this is a good view Well, yeah, you don't have to you go around every SDK in every language has this implemented yet So it's good for us to know at a high level how we can just read the object I'm a dynamic developer. So of course I'm like, oh, yeah I can just use an anonymous object type and then as it comes in I can check against it But I think we have documentation around the JSON structure of what we're gonna get right Yep Yeah, that's exactly right. I can show that in just a sec But what I was looking for is you know buried in this request object is the username and password that the user put in and Octa's looking for a response from my webhook just to give it the thumbs up or the thumbs down Now I have it set up here to return verified by default, but let's let's let's change that to unverified I'm gonna set the value here and I may have to do it twice because I think the first request is the is like a Chorus request or something. Yeah, let me set that twice I'm gonna set that to unverified Then back over here. It just says unable to sign in so my request my webhook responded back to octa With the thumbs down basically and so our interface doesn't give you a lot of information about what went wrong It just says unable to sign in which is you know a good security practice now if I try to do this again This time I'll let it go through and now it's transitioned to Let it letting me finish creating this account in octa and now I'm fully authenticated as this user Isaac and I Don't you know what's funny? I might not remember what password I put in there But this time it shouldn't hit my webhook at all because now that user is Is fully trans transitioned over? See oh dang it But what I can do is just show you this really quick If we hit the I'm gonna do a little bit of Live coding here. What could go wrong API v1? users and I'll give it and I know you can't see that maybe you can't see that on the bottom of my screen, but it'll all become clear in just a second and Just need to look back and see what API token alright API token All right, so I'm just gonna hit the user's endpoint. This is the octa API and if I look at that Isaac Brock user, I can see that The provider type now is octa not import because that user has been fully migrated thanks to the magic of webhooks and that Matching that identity that we have here is based on their email address. Is that correct? Yeah, that's right in this particular case the glue if you will is is their email address It doesn't necessarily have to be we have we have customers that use other types of identifiers You know just like shipping companies that just use user IDs that are long numbers or something like that But for the purposes of demonstration, it's easy just to make it an email address Yeah, so so whenever you import your users you can associate whatever metadata you have at the time and you know If you have some internal ID you could look up on that ID versus an email address Yeah, and the the documentation that we have on this is is pretty extensive where you can You can do things like in that response that the webhook sends back You can do things like set custom profile attributes, you know as part of that migration, so it's pretty rich and You know, there are a lot of there are a lot of companies That do this sort of thing that have a Method for how you're gonna migrate your users, but they often involve a lot more heavy lifting on the customer's part And that's the way it used to be for us. It used to be that rather than us just respond rather than having our customers write a small piece of code that returns verified or unverified our Customers had a really get deep into the weeds of the octa API and go and You know create a user and set the password and activate the user kind of manage that whole life cycle on their own Now we have import is kind of a first-class citizen in the life cycle of an octa identity So that was pretty cool That is really cool. So is that what octa hooks means? It's an importation hook or are there different kinds of hooks There are different kinds of hooks. So that was an example of an inline hook And we have a couple of different other types of inline hooks. We have Registration hooks and we have token hooks The registration hook is just some additional validation verification that you might want to do at registration time and the typical example that that I've seen is you've written this app and When an octa, you know, maybe you have like a Cloud of applications and you have this new applications and before you allow a user a register for this new application You just want to validate some piece of information about them Maybe they need to have a password or rather a credit card on file Or maybe you want to do some external check that says they've even maybe this is a beta app and you only want Users that have been been invited. It's publicly available Anybody could go to the front door But you only want users that have been invited to go and be able to register for this beta app So you can use this registration hook and again It's kind of like a thumbs up thumbs down thing the octa will call your web hook and if the response says You know Essentially expresses Allow that user to register then octa will allow that user to register And if not then they they won't be able to register even though it's you know sitting there on the public web So in the past we kind of had two modes of operation It was either private and some you know You had to call up some help desk and say you know Give them your employee number and have them provision you for this application And then you could log in and set your password the first time or it was completely open anybody could register and This is kind of an in-between state where you can control who's allowed to register and and who's not The other type of hook which is which I think you know I have a bias when it comes to like OAuth is The token hook and that really adds a lot of a lot of power And that allows you to alter the contents of a JWT type token in flight Which is kind of a cool feat of engineering But more importantly usefulness for Octa customers so the idea you know with JWT's if you're not familiar part of the power of JWT's is that they're signed with a private key and You grab the public key and validate that signature which gives you a high degree of confidence that you can trust What's in the payload? That's kind of baseline JWT. So that's the benefit of it and in the past it's been really hard to Have any sort of dynamic interaction or dynamic Changes to that payload because it requires To re-sign if you if you change the payload and you don't re-sign the JWT it's Instantly invalid because the signature isn't going to match properly So what this and and part of the especially with octa part of the challenge is that we don't ever expose The private key used to sign JWT's to anybody not even internal employees So it's not like you could say well, I'll let octa sign my JWT's But when I want to I'll use that private key to do my own thing You don't have that option so what the inline token hooks allows you to do is Just like we saw before octa will reach out to your service and through JSON You can express changes or additions that you want to be included in that JWT and Then octa will add that those claims. That's key value pairs and JWT's are called claims Octa will update the payload and it will re-sign and it does all that in flight So you it really opens the door to a lot of dynamic behavior and and part of the part of the whole motivation for web hooks in general is to be able to kind of be future-facing and roll with Behaviors that might be requirements for your app that the service provider never accounted for, you know, so if you have some Interesting app that needs to add all kinds of claims on the fly There's no way that octa can anticipate that so we give you this mechanism now through these inline token hooks to be able to do that so You provide additional claims or maybe an alteration of existing claims octa Updates the JWT including re-signing it and then your application receives a JWT That's ready to be validated because the signature is correct So super super powerful and I really think we're kind of just scratching the surface On the types of use cases and the power that you can you know squeeze out of that that type of Hook and so we've kind of we've kind of given our customers all these tools And now we're seeing some some interesting emerging use cases for a long time We've had lots of requests of you know for this user. I want to have this set of claims for this other user I want a different set of claims and it's we've we've kind of twisted ourselves in pretzels in the past to try to make that Happen now with this inline token hook. You can just you can just do it the the one downside I will say is or the one challenge is that because This is a synchronous operation. It has to happen in flight Your web hook has three seconds to finish its job and if it doesn't complete successfully You're just gonna get the original token without any changes So that's something your app has to be prepared to deal with you can't assume your app can't assume that Claims are are gonna be there Because maybe that Token hook call failed for whatever reason so it just has to be able to deal with failures in an expanded kind of way But it's an interesting challenge. You have to write a program. That's that's Resilient enough to respond in three seconds, which in the in the context of the internet is actually pretty generous. I mean really If it's taken that long, there's something wrong anyway, you want it to be like, you know sub 100 millisecond ideally I mean, I do agree with you, but in my world of legacy applications. That's not always the case So it's good to know it's the same way actually. So this is not just an octa of idiosyncrasy and the same thing happens when I had worked with Amazon's Alexa service is that pretty much if your Hook did not respond within I believe it's like three to four seconds. It said, I'm sorry I can't actually reach this particular skill right now and that's that was the default what would happen for the user so it made it forced a lot of the companies that I worked with to make sure they refined their data down to like maybe a stored procedure so they can get things really quickly and Make sure they have a good trim microservice for this This is an excellent example of what a microservice should be for and not your ginormous Rest API, right? Yeah, it's fair. I mean, you know for user experience, right? If you're logging in you don't want to wait. I mean three seconds is a long long time, right? You know, so so you have the the call the octa octa has to deal with your your password or whatever, right? There's some crypt cryptographic Delay that has to happen and then we call out like so you are adding delay But you know like Mike said if you can respond, you know within 100 milliseconds a quarter second Then your user is not gonna not gonna really realize it and especially that's only once So that's when you log in and that token is valid for your you know some duration and you know Your service isn't connected isn't contacted again So maybe you can show me that list Micah of how if I'm starting from the beginning because there's all these options are already swimming I'm sure in the heads of our viewers Okay, you are talking about inline hooks, but there's also something on our site called event hooks How do we think about each of them? Like what does it mean to be an inline hook? And what does it mean to be an event hook because that's what if they search for hooks on our Documentation that's what they're gonna see. So how do I remember? What means what? Yeah, that's a great question You know with the the so event hooks are asynchronous and they're passive What what I mean by that is any Anytime you do anything Mainly write operations with an octa you change a password You authenticate a token is issued all of those types of events Are recorded in the system log The the event hook Makes it so that you can capture all those events in a very similar way that octa is built in system log already does So event hooks are are asynchronous and they're all about events that have that have happened in the octa org So, um, you know, there's no like, uh on the fly Alteration of event hooks or anything like that. They're really informational. It's also a great way like we integrate with You know splunk and data dog and sumo logic for Long-term capture and analysis of logs That's great, but This is a situation where if you're doing some casual Sort of data gathering you can set up event hooks and and have an endpoint that octa will call And just capture all of those events. Um on your own And octa's not gonna octa's not gonna wait for you to respond. I mean it does expect a response But you know all octa does is call your endpoint send event json information and kind of you know octa's done It's up to you to capture that and do something with it. It's not that that kind of critical time window like inline hooks um password hooks registration hooks and token hooks are all synchronous because they're Dependent in some way. They're dependent on your response And they will time out and you know the kind of dynamic you were talking about with with alexa It's not going to wait forever for user experience sake. Um but they they are dependent on your service responding in a certain way and uh things kind of get interesting in that realm because um For instance, you were talking about with alexa like it'll it'll error out if if it takes too long um With with inline token hooks for instance octa made kind of an engineering and and just a general decision to say If your inline token hook times out rather than Generate an error condition and trip up your application octa's just going to return the default Token that it was going to return anyway. So you've already authenticated. It's not like a security risk It's just that you were intending to return some sort of enhanced token your service timed out So octa says well, I'm just going to return The original token that I was going to return anyway And that's where you know your your application might have to be a little smart in um in dealing with that but you know You have to make those calls when it's a synchronous hook Uh because there has to be some sort of uh reasonable timeout associated with it for user experience You know heroku By contrast just because of the way their add-ons work They give you a generous 12 hours to tell heroku That your provisioning is done And you know, I can't imagine a service that would ever really take that long but you know provisioning an octa org using the octa Heroku add-on does take about 40 seconds and heroku Commodates that and some provisioning takes longer. Some provisioning is quicker um But you get that kind of visual feedback of those of those three dots that says hey, we're still provisioning this this add-on um The the link that you put up is is a good one to to get some, you know concepts under your belt um for uh for those uh Uh different types of hooks and one thing that I wanted to show people Bear with me a second and I will share my screen one more time We have kind of this ongoing Developer challenge we used to just set this up for um for conferences And we kind of debuted this this web app at octane 19 and now Uh, we've run the app with different sub domains in I want to say a dozen or more conferences But uh, this is experience Dot octa challenge dot dev. So he just kind of made it generally accessible now And this first tier just walks you through some Uh, kind of general entry level type of interaction with octa's api. You create a user you create a group You create some apps But tier two is is where it gets interesting especially with uh today's topic because it's all about the different types of hooks And we actually exercise every hook except for the password import hook So you have event hooks registration hooks and this uh authorization section is all about those token inline hooks So this is publicly available. You just uh come over here and give us some minimal information and we this is uh Uh, all we ask is your name and an email address and then you go create an octa or And then it actually gives you a customized postman collection That you can use to follow along each of these uh use cases and scenarios. It shows you Oh my goodness. Yeah, so, um These two tiers are not dependent on each other too. So if all you care about is the hook stuff You don't even have to do the first one Um, but if you want to get familiar with the octa api in general, this is a good place to start It shows you your your progress as you uh, you know play the game so to speak Um, you know you download this postman collection And then you you can open that in postman and it's all set It's preset with your octa org And your api token and everything that you need to then Work through each of these little challenges um So that's a really good place to go to to you know, uh kind of dig into Uh more the meat of these of these different types of hooks that we have Okay, so For this one. Are you using an event hook or an inline hook for the developer challenge? Well, uh, both actually So you start out on this second tier You start out creating an event hook and you can actually see incoming events Through this little uh javascript app that we host on uh glitch So if you follow through this Example and get everything set up you'll actually see an interface where um You can start to see events coming in uh getting captured because of The event hook Set up and then from there you go the the last two here. So there's event hooks, which is our asynchronous hooks and our passive hook and then um the registration hook and the Inline token hook walks you through our synchronous Hooks and shows you how you can you know transform a Um an access token by adding additional information to it Okay, so the way that we think about this correct me if i'm wrong brian is that inline hooks are think about it that When the user is registering or logging in and basically once they hit the server And octa is in the process of creating or generating a token for them. It is in flight So while it's in line to go back to the user you can stop the process in that flow and either Um do you know check things on the background and you can say yes You can continue or no you can't or hey by the way I want to add some extra baggage onto your your claims there and then it goes But event hooks are observational, right? You don't stop the flow at all. They're just like a fyi This user just did a thing in case you want to fire an email in the background. Is that correct? I just want to make sure that i'm interpreting correctly Yep, you got it. So the the event hooks are more of a fire and forget You know and in the inline hooks are definitely uh, you can stop the world type of type of Have the power the power Yeah, so um I I uh, I wasn't sure if we'd have time to like actually look at some of this But let's see just for fun Why don't you and brian talk for a moment and I will see if I can't get the event hooks set up In the in the app here and we can actually see it in uh in action here All right, so you got a bunch of events that you can kind of you know observe, right brian I I haven't I don't have it up in front of me. Maybe you can grab What some of those are? What what do you think is the coolest one that you've been able to actually play with in a demo? Uh that you think would be useful because there's all sorts of different levels depending on who our users are Users meaning who are like our our customers are Yeah, so I think my favorite is the inline token hooks. So there's just a lot of power I mean, I know we touched on this earlier um in the password hooks great too, but the token inline hook I think is going to be the most used so it allows me to isolate You know some sort of custom logic and inject it into the user's flow So, you know, if I have some some spa application That needs access to some private data. I don't want my spa reaching out to some data source, right? I don't need to deal with any of that Octa can securely reach out to my service my service will respond to octa say yeah add my favorite color is blue And then now my my spa application knows my favorite color is blue without having to do an additional look up or You know try to deal with with uh, you know a separate request or figuring out how to authenticate You know my spy application to talk securely to my my api. I don't need to do any of that. It's it's already there Okay, so that means that it's just part of the token So when it deserializes you have that additional pieces of information instead of hold on Let me now that I have the token or the access token Now I have the ability to call octa's users api to get information about them back You don't have to because it just came in flight with it Absolutely And it's even better if you have you know, if I have a hundred different applications that I'll need You know some sort of subset of data I just can have one microservice to add that data to my token and then all of my applications could potentially have access to it Nice, so that means it could actually be stuff that isn't even stored in octa It could be stored in your own database that you add that's cool Absolutely. So it's my secret sauce right that that octa doesn't doesn't persist Uh, it sticks it in the token obviously to octa knows that token for for some period of time But we do not persist it octa doesn't store it So it's it's still your your data your ip whatever if those are your concerns I think for me when I was looking at event hooks. I'm really interested in like DDoS attacks I'm interested in in different kinds of ways that hackers would try And spam like perhaps my registration or whatever and I think observing Certain amounts of behavior is probably really useful So instead of it being in a black box that octa just has and you can just trust the logs You actually get to see the logs as they happen and you can perhaps send it off to another service to Also kind of take a look at and monitor Yeah, absolutely. So so with the the event hooks, you know again fire and forget Your application just queuing them or maybe you're forwarding them to some some, you know Did an olivix package or whatever or or maybe you're just queuing them up So, you know, your support team can figure out what's going on with with uh with developers lock me. Sorry a user's login Now obviously some of those things you can do in the octa dashboard, right? But if you want to do something some advanced analysis on that data You can do it in real time as opposed to you know, sort of doing some some after the fact batch batch processing So let's say I'm part of a big company Like let's say an electric car manufacturing company and we have different divisions And so me as a developer, perhaps I'm only working on stuff that would be inside the car And that means that I may not have access to the entire octa org of users Can you do hooks at an application level or is it at more like at like a group Permissions level or is it really across the whole org? How does it work? That's a great question. So so the hooks are set up at an authorization server level But you have you have enough context that your hook can make a decision Based on that information, right? So so if i'm logging in and i'm calling a token inline hook My my handling application, right? Whoever's handling that webhook knows what scopes I have Potentially what groups I have my my email address whatever identifying information and then I can you know I can give them a different subset of data than I would you know, maybe an admin or or somebody So you definitely have the power So if I created my own let's say I only have control over the app that's in the car Right, but I don't have control over maybe their user's profile like somewhere else That means I could create my own authorization server and that way I would be able to do it at the auth server level Yep That's pretty cool So that means that you aren't married to the process for the entire company or the entire user base. You can do it per situation Absolutely Right for me I've noticed that there's a difference between a grandfathered in or perhaps a setup user account outside of my application And an application initiated registration that seems to be like a completely different flow Like the perhaps the user once we brand it may not even know that they are an octa user They'll just be like, hey, it's my cool car company's account At that point, right? So I've always been interested in how much of this is set up to where your user with many applications on like our octa dashboard Versus you don't know about the dashboard You just know about the app in the car and you just want to make sure you can log into it and change your stuff from there Yeah, so so I think that's the idea like, uh, you know, even as an octa employee, right? I think the ideal experience Is is your users don't don't know what authorization server using right? So it just just works everything's themed everything looks great Um, and it's all transparent to the user, you know on the back end the developer side You know, obviously we want to expose all of these things and make things powerful But from the user experience, they shouldn't have to deal with with any of that Right, um, I guess this is more we're thinking about Customer identity access management or people who are not within an organization So they may not even know that they're doing an import for example, like we have You know customers that are some of the largest social networks in the world, right? But you may not know that octa is the one who's handling some of that in the background Or you know, it's they don't want to see that that's what it is. That's different, of course, then hey you work at A carpet cleaning company and you know that you use octa because you have a dashboard with different apps that Is a single sign-on into all those apps So there's like a difference between whether or not your end users know Because they are part of your company or if they are external customers is a completely different experience Right. So the cool thing is that all the inline hooks work the same way for both of those cases So from the developer's experience You know, it's it's not different obviously from you know, how you architect and how you set things up, right? There's there's some concerns there, but But you know from from how how the all the the pieces fit and work together. It's all the same Awesome. Like are you ready to shut things? Yeah, so while you guys were having that interesting conversation I was sweating to see if this would work. You always run into the demo monster But I got it to the point now where we're ready to actually create the event hook in octa And I'll just show you this api call that it's about to make And when you set up event hooks you tell it the Life cycle or or the events that you're interested in capturing And there may be more than this at this point, but we listed a whole bunch of them So anytime What we're expressing here is that anytime any of these events fire within octa It's going to reach out to our application And send that event hook along for us to capture and maybe do something with So i'm going to call the octa api to set up this event hook And let's see. I got a 200 response. So that's good. I didn't break anything Um, and now it gives us this event hook id And so following uh back here that the the next thing that we need to do is to verify that event hook id and so, um In my set of environment variables here that come along with this collection I can set that hook id And now when I go to verify it if we look up here It's actually using if you're not familiar with postman One of the great things about it is that it can you can plug in these environment variables And if they're there it will use them And so now we can verify this event hook id and now its status is active So now any event that happens octa is going to fire off a request to our endpoint and show us information Uh, or or it'll just send the raw event data and then we do with it whatever we want And so now if I take this uh glitch app that I set up So now this app is waiting for events And so far it hasn't gotten any but let's see if I go over to um This kind of demo app that we use I had already authenticated here But let me go ahead and log out and let me um Let me log in once again And we should now be capturing some events. So I'm going to log in Incorrectly And then I'll log in correctly And it sends us back to this app in the meantime if we jump back over to here We can see now. This is kind of the raw data that octa is sending over to our event hook Um, so you can see here the latest event was session start um Somewhere in the list here. It should have Uh, the error that I put in there. Let's see. Let's see if I can find it It gives you all kinds of meta information the geolocation of the request So you get a tell yeah, here we go failure invalid credentials. So you get a ton of information from octa and Other services like I mentioned earlier sumo logic and others are you know, you can configure to ingest all this data But if you want to capture this data for whatever reason Um, you have the ability to wow look at this Verizon is my provider and it still shows up as mci communications That's like right out of the 90s Anyway, this is what This application this is how this application renders the JSON that it got from octa. So all octa is doing is Sending over this JSON data and like its job is done and then we have this application that's now rendering um That data for us for us to look at here and for for people that are interested I did all of this I mean you guys were talking for maybe five or seven or eight minutes I got all the way over to this point You know just navigating my way through this through this application and working with postman to get everything Set up. So it is kind of a handy tool to uh to learn about The uh the octa api and I wonder are we giving oh, yeah, look at this We're giving so if you go to experience dot octa challenge dot dev. We're actually Through our marketing department. We're giving away like t-shirts and water bottles and stickers and stuff So you actually can can get a prize if you go and uh play the developer challenge I know and we're going to have all sorts of fun um like hackathon style things happening soon I'm really excited to see what the community does with some of these hooks. I think it's going to be very um I want to see like how much automation can you put in in this flow to where you don't have to think about it Um, maybe you can use terraform or pilumi or something like that for some of this as well I think it'd be super cool to see how people set up some of their monitoring dashboards of like This is how much we're seeing so you don't you don't even have to log an octa at all because you can pull the data Into maybe your own database and you can put your own kind of visualizations up I think there's a lot here that will make you feel really Empowered when it comes to that. I know that we have about like five or ten more minutes So what do you think um is something that you would like to see? People mess around with when it comes to hooks that you haven't seen yet Well, I'll tell you one thing that i'm working on right now that I want to encourage everybody to do and that is I'm writing a little twilio integration where every time there's a An invalid login like I showed every time that event fires It's going to send a text message to brian to let him know that somebody didn't provide the correct credentials And anybody that wants to take this on I will gladly provide you with brian's phone number so that you can have it Send him messages also just you know want to put that out there But seriously though I am working on that as a little service like every time somebody has an invalid authentication It can fire off a text message saying hey somebody just tried to log into your app and they didn't they didn't they failed Like maybe this is something you want to look at That's pretty I think if anyone has a really cool unique idea that that you've done I think you should let us know Um send us an email at uh, what is it octa? What's what's our developer you actually put put it put it down here devrel devrel at octa.com There you go. Thank you. And then and then we'll we'll find that we'll find a really cool one And we'll send you a t-shirt or uh, if you have a really great implementation And yeah Yeah, I like to mash up different apis make things work together that were never intended to do so so I have uh phone with that tweet tweet at mica, you know, you know every time you log in just Send send them. Yeah, that's right. Send me a private message at a fit nerd every time you log in You can do that with event hooks. Yeah Oh, uh, please don't do that for me. Uh, I already have to mitigate a lot of that stuff Oh my goodness. Well, thank you mica for showing us this I think that um I had no idea when I joined that octa even did this I was curious if this was something that like all external auth providers Have is this something that we can do and I think each one is a little bit unique as to what they offer Uh, but here it seemed like I just felt like I had way more control as a dev to the whole Flow process I suppose Uh specifically around like checking and some of the events. I think we're super cool. Like I I know I was part of a like a Words Heather marketing company for a long time And so knowing that a user had difficulty with their password or that they had issues logging in I could actually personalize an email to them or we could send that because we have their informational file We could send them Like a reminder sms about how to do things or whatever we wanted to do in that case you could use twillio for that, right? Um, I found I found it to be like just a world of possibilities that way that I just didn't see very often so That's very cool. Thank you so much for showing us that and for Brian for also chiming in on how everything works. Um, because People who are watching may not know this but both of you have worked in our engineering department before at octa before you moved over to advocacy, right? Yeah, I definitely spent uh, three three years or so on the octa engineering team Right, so if you have any really strong questions about why things are the way they are these two guys Which I where's direction are you? the other two people on the On the twitch stream are the ones you want to reach out to um, so i'm going to put up um, I'm going to go ahead and put my my twitter handle in our chat if you're interested in Like talking to me. I'm at quarrel line and you can definitely put yours in as well in case people want to continue the conversation over there Got it Got it awesome, so Thank you for happy hacking. Yes. Yes happy hacking