I've put in security my Orion (as backend by using Keycloak and Kong), and now I can manage entities and subscriptions through authentication (token).
My question now is how can I also put the notifications (of subscription) in security?
In other words, how can my server trust about of the notification payload sent by Orion? I was thinking of using the custom notification or adopting HTTPS. Could you address me on the right solution? Thanks a lot.
By default, Orion propagates the fiware-service, fiware-servicepath and x-auth-token headers in any given update requests to any notification triggered by such given update.
If that mechanism doesn't suffices, your idea of using custom notifications to add other notification headers (or URL query parameters or whatever used by your notification receiver to authenticate) is valid. You may find interesting the example included in this documentation section which shows how to use custom notification to add an Authorization header.
The token thing is not very robust as a token might have already be revoked or outdated when the notification comes through.
Ideally Orion should authenticate itself against your Webhook when notifying data. Also it should verify the TLS connection so that it matches the one registered when creating the subscription. Mutual TLS would be ideal.
It could also sign the notification payloads so that you can verify its authenticity.
