CloudEvents has a webhooks specification for event delivery: HTTP 1.1 Web Hooks for Event Delivery - Version 1.0. Among other things, the CloudEvents Webhooks spec details requirements for webhook validation and authorization. As described in the spec, CloudEvents webhooks authorization methods "lean on the OAuth 2.0 Bearer Token RFC6750 model".
Azure Event Grid supports CloudEvents: Use CloudEvents v1.0 schema with Event Grid
Event Grid's support for webhook authorization is limited to "adding query parameters to the webhook URL when creating an Event Subscription" as described here: Authenticating access to Azure Event Grid resources.
Given that an OAuth bearer token can have a limited lifetime, I therefore need a way to refresh the token. However, as far as I can tell Event Grid provides no mechanism other than hard-coding the token in the query parameter at the time the webhook subscription is defined.
Is my understanding correct? Any recommendations?
EDIT: In this scenario the webhook endpoint is an external endpoint not hosted on Azure. It is a 3rd party endpoint that simply supports the CloudEvents webhooks specification.
The documenent mentioned in your question such as Authenticate event delivery to webhook endpoints using Azure AD is not clear enough. It looks like there are described (mixed) two ways how to secure an event delivery to the webhook.
1. I do recommend to use a way described in the first section of this document such as using the AAD to authenticate and authorize Azure Event Grid to deliver events to your webhook endpoint handler.
In this case, the subscription required to populate the following properties:
Note, that the validation process is not depended from the above properties, in other words, your subscription can be created successfully, but the event will be not delivered to the webhook endpoint for AAD authorization error.
In the case when the AEG based on subscription TenantId and ApplicationId values will get the access token (Bearer) from the AAD, the event is delivered to the webhook endpoint handler with the access token in the Authorization header.
Now, your subscriber handler has fresh (valid) access token for its usage.
2. The second way, such as using a query parameter in the webhook url address is working like you mentioned. This secret value is hardcoded during the process of the creating subscription and it is not managed (refreshed/updated/etc.) by AEG.