WebHook - MS Teams and HMAC calculation

Hi All,

I’m trying to receive in n8n an outgoing webhook from my MS TEAMS. This is basically working, but now I would like to secure the process by checking the HMAC. And for the moment I did not succeed.

So In the header sent by Teams, I do receive a HMAC value in the field ‘authorization’ ( equal to: HMAC xxxxxx).
I would like to compare this value with my own calculation of the body part received. I’ve never succeed to have them matched. I think it is link to the way the ‘body’ content is understood in n8n.

My first try was to use this workflow :

I was using JSON.stringify to turn my ‘Body’ into a string. But I guess this is where I do have a difference with what TEAMS have calculated.

So then I 've tried this approach :slight_smile:

I’ve tried to use binary Data, but once again the HMAC calculation by the Crypto module does not match.
I don’t really know how to make this calculation to secure my Teams bebhook ?

Can you point me in the right direction ?
Thank for your advise.

Share the output returned by the last node

Information on your n8n setup

  • n8n version: 1.20
  • Database (default: SQLite): default
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
  • Operating system:

When hashing even changing one character (lke adding "s) will change the entire output. When stringifying JSON it adds quotes around all keys and values.

Also, if this is what you’re trying to do, you need to convert the body to a byte array in UTF8 then do the crypto operation on that, based on the docs

Thanks Liam.
Ok so I might take my second workflow, wait for the Webhook trigger, and keep the raw body box checked.
But then how to convert this raw body to a byte array UTF8 before using crypto module ?
Can I use a Code module with some javascript functions (I still haven t found the function to put inside the code module yet).

Ok I’ve discovered some hints.
I use this website for HMAC calculation : Hash and HMAC calculator

Using that site I can calculate a HMAC that match to what TEAMS has sent in the header:

The base 64 result if ok.

Now I simply use the crypto module as below

So the result in that module is different. I got this output:
secret : 1NA90n3cS6SzPzCM3mEjZbQqtqGiBDE8aVcPs89cPNs=

BUT, if I switch in the HAMC website the secret from Base64 to UTF8:

Finally this is the same result as the crypto module. So I guess that this module is using my secret in UTF8 format instead of base64.
So How can I say to that module that my secret is base64 ?
or maybe I can try to convert this Teams secret from base64 to UTF8 ?

Just a quick UP, if someone has an idea how to calculate that HMAC …

@Jon Could this be a bug in the Base64 encoding of the crypto node?