Configuring secrets in event forwarding
In event forwarding, a secret is a resource that represents an authentication credential for another system, allowing for the secure exchange of data. Secrets can only be created within event forwarding properties.
The following secret types are currently supported:
This guide provides a high-level overview of how to configure secrets for an event forwarding (Edge) property in the Experience Platform UI or Data Collection UI.
Prerequisites
This guide assumes that you are already familiar with how to manage resources for tags and event forwarding in the UI, including how to create a data element and an event forwarding rule. See the guide on managing resources if you require an introduction.
You should also have a working understanding of the publishing flow for tags and event forwarding, including how to add resources to a library and install a build onto your website for testing. See the publishing overview for more details.
Create a secret create
To create a secret, select Event Forwarding in the left navigation, then open the event forwarding property you want to add the secret under. Next, select Secrets in the left navigation, followed by Create New Secret.
The next screen allows you to configure the details of the secret. In order for a secret to be usable by event forwarding, it must be assigned to an existing environment. If you do not have any environments created for your event forwarding property, see the guide on environments for guidance on how to configure them before continuing.
Under Target Environment, use the dropdown menu to select the environment you want to assign the secret to. Under Secret Name, provide a name for the secret in the context of the environment. This name must be unique across all secrets under the event forwarding property.
A secret can only be assigned to one environment at a time, but you can assign the same credentials to multiple secrets across different environments if you wish. Select Add Environment to add another row to the list.
For each environment you add, you must provide another unique name for the associated secret. If you exhaust all available environments, the Add Environment button will be unavailable.
From here, the steps to create the secret differ depending on the type of secret you are creating. Refer to the subsections below for details:
Token token
To create a token secret, select Token from the Type dropdown. In the Token field that appears, provide the credential string that is recognized by the system you are authenticating to. Select Create Secret to save the secret.
HTTP http
To create an HTTP secret, select Simple HTTP from the Type dropdown. In the fields that appear below, provide a username and password for the credential before selecting Create Secret to save the secret.
OAuth 2 oauth2
To create an OAuth 2 secret, select OAuth 2 from the Type dropdown. In the fields that appear below, provide your Client ID and Client Secret, as well as your Token URL for your OAuth integration. The Token URL field in the UI is a concatenation between the authorization server host and the token path.
Under Credential Options, you can provide other credential options such as scope
and audience
in the form of key-value pairs. To add more key-value pairs, select Add another.
Finally, you can configure the Refresh Offset value for the secret. This represents the number of seconds before the token expiry that the system will perform an automatic refresh. The equivalent time in hours and minutes is displayed to the right of the field and updates automatically as you type.
For example, if the refresh offset is set to the default value of 14400
(four hours) and the access token has an expires_in
value of 86400
(24 hours), the system will automatically refresh the secret in 20 hours.
28800
(eight hours) and the access token has an expires_in
of 36000
(ten hours), the exchange would fail due to the resulting difference being less than four hours.When finished, select Create Secret to save the secret.
OAuth 2 JWT oauth2jwt
To create an OAuth 2 JWT secret, select OAuth 2 JWT from the Type dropdown.
In the fields that appear below, provide your Issuer, Subject, Audience, Custom Claims, TTL, then select the Algorithm from the dropdown. Next, enter the Private Key Id, as well as your Token URL for your OAuth integration. The Token URL field is not a mandatory field. If a value is provided, the JWT is exchanged with an access token. The secret will be refreshed according to the expires_in
attribute from the response and the Refresh Offset value. If a value is not provided, the secret pushed to the edge is the JWT. The JWT will be refreshed according to the TTL and Refresh Offset values.
Under Credential Options, you can provide other credential options such as jwt_param
in the form of key-value pairs. To add more key-value pairs, select Add another.
Finally, you can configure the Refresh Offset value for the secret. This represents the number of seconds before the token expiry that the system will perform an automatic refresh. The equivalent time in hours and minutes is displayed to the right of the field and updates automatically as you type.
For example, if the refresh offset is set to the default value of 1800
(30 minutes) and the access token has an expires_in
value of 3600
(one hour), the system will automatically refresh the secret in one hour.
1800
(30 minutes) and the access token has an expires_in
of 2700
(45 minutes), the exchange would fail due to the resulting difference being less than 30 minutes.When finished, select Create Secret to save the secret.
Google OAuth 2 google-oauth2
To create a Google OAuth 2 secret, select Google OAuth 2 from the Type dropdown. Under Scopes, select the Google APIs that you want to use this secret to grant access to. The following products are currently supported:
When finished, select Create Secret.
A popover appears informing you that the secret needs to be manually authorized through Google. Select Create & Authorize to continue.
A dialog appears that allows you to enter the credentials for your Google account. Follow the prompts to grant event forwarding access to your data under the selected scope. Once the authorization process is complete, the secret is created.
LinkedIn OAuth 2 linkedin-oauth2
To create a LinkedIn OAuth 2 secret, select LinkedIn OAuth 2 from the Type dropdown. Next, select Create Secret.
A popover appears informing you that the secret needs to be manually authorized through LinkedIn. Select Create & Authorize secret with LinkedIn to continue.
A dialog appears prompting you to enter your LinkedIn credentials. Follow the prompts to grant event forwarding access to your data.
Once the authorization process is complete, you are returned to the Secrets tab, where you can see your newly created secret. Here you can see the status of the secret and the date of expiration.
Reauthorize a LinkedIn OAuth 2 secret
IMPORTANT
You are required to reauthorize using your LinkedIn credentials every 365 days. If you do not reauthorize in due time, your secret will not be refreshed, and the LinkedIn conversion requests will fail.
Three months prior to the secret requiring reauthorization, a popup will begin to show when you are navigating any page of the property. Select Click here to go to your secrets.
You are redirected to the Secrets tab. The secrets listed on this page are filtered to show only the secrets that need to be reauthorized. Select Auth Needed for the secret you need to reauthorize.
A dialog appears that prompts you to enter your LinkedIn credentials. Follow the prompts to reauthorize your secret.
Edit a secret
After you have created secrets for a property, you can find them listed in the Secrets workspace. To edit the details of an existing secret, select its name from the list.
The next screen allows you to change the name and credentials for the secret.
Retry a secret exchange
You can retry or refresh a secret exchange from the editing screen. This process varies depending on the type of secret being edited:
Delete a secret
To delete an existing secret in the Secrets workspace, select the checkbox next to its name before selecting Delete.
Using secrets in event forwarding
In order to make use of a secret in event forwarding, you must first create a data element that references the secret itself. After saving the data element, you can include it in event forwarding rules and add those rules to a library, which in turn can be deployed to Adobe’s servers as a build.
When creating the data element, select the Core extension, then select Secret for the data element type. The right panel updates and provides dropdown controls to assign up to three secrets to the data element: one for Development, Staging, and Production respectively.
By assigning multiple secrets to a single data element and including it a rule, you can have the value of the data element change depending on where the containing library is in the publishing flow.
Next steps
This guide covered how to manage secrets in the UI. For information on how to interact with secrets using the Reactor API, see the secrets endpoint guide.