Event Grids: Custom POST property for Event Grid Authentication
The currently recommended method to authenticate an event grid to an external webhook is to add a query string parameter to the webhook URL while defining a subscription.
Since the query string parameter will be sent on the wire alongwith the URL, it is not encrypted by the TLS channels between the webhook and event grid. This fundamentally is equivalent of sending password in the query string.
Furthermore, since the webhook configuration foreseeably will not change frequently, the current option leaves a residual risk that might be too high for some consumers to accept.
I suggest an new option to add a custom event property that can be used for authentication. This options must be made available while defining a webhook event subscription. Since this attribute will be added to the JSON that is sent to the webhook and since it it sent in the body of the HTTP message, we can leverage all the protections of the TLS channels.
An alternative approach will be to have the authenticator string sent as a header to the third-party webhook.