diff --git a/orca-web/orca-web.gradle b/orca-web/orca-web.gradle
index 44e97d4aa6..1226a50311 100644
--- a/orca-web/orca-web.gradle
+++ b/orca-web/orca-web.gradle
@@ -94,6 +94,7 @@ dependencies {
   testImplementation("io.strikt:strikt-core")
   testImplementation("io.mockk:mockk")
   testImplementation("org.apache.groovy:groovy-json")
+  testImplementation ("com.squareup.retrofit2:retrofit-mock")
 }
 
 test {
diff --git a/orca-web/src/main/groovy/com/netflix/spinnaker/orca/controllers/OperationsController.groovy b/orca-web/src/main/groovy/com/netflix/spinnaker/orca/controllers/OperationsController.groovy
index d4f48d7f95..57346fd6d4 100644
--- a/orca-web/src/main/groovy/com/netflix/spinnaker/orca/controllers/OperationsController.groovy
+++ b/orca-web/src/main/groovy/com/netflix/spinnaker/orca/controllers/OperationsController.groovy
@@ -23,6 +23,7 @@ import com.netflix.spinnaker.fiat.shared.FiatService
 import com.netflix.spinnaker.fiat.shared.FiatStatus
 import com.netflix.spinnaker.kork.exceptions.ConfigurationException
 import com.netflix.spinnaker.kork.exceptions.SpinnakerException
+import com.netflix.spinnaker.kork.retrofit.Retrofit2SyncCall
 import com.netflix.spinnaker.kork.retrofit.exceptions.SpinnakerHttpException
 import com.netflix.spinnaker.kork.retrofit.exceptions.SpinnakerServerException
 import com.netflix.spinnaker.orca.api.pipeline.models.PipelineExecution
@@ -390,7 +391,7 @@ class OperationsController {
         def userPermissionRoles = [new Role.View(new Role("anonymous"))] as Set<Role.View>
         try {
           String user = AuthenticatedRequest.getSpinnakerUser().orElse("anonymous")
-          UserPermission.View userPermission = fiatService.getUserPermission(user)
+          UserPermission.View userPermission = Retrofit2SyncCall.execute(fiatService.getUserPermission(user))
           userPermissionRoles = userPermission.roles
         } catch (Exception e) {
           log.error("Unable to determine roles for current user, falling back to 'anonymous'", e)
diff --git a/orca-web/src/test/groovy/com/netflix/spinnaker/orca/controllers/OperationsControllerSpec.groovy b/orca-web/src/test/groovy/com/netflix/spinnaker/orca/controllers/OperationsControllerSpec.groovy
index 8dd6c1b444..0cbad2e2eb 100644
--- a/orca-web/src/test/groovy/com/netflix/spinnaker/orca/controllers/OperationsControllerSpec.groovy
+++ b/orca-web/src/test/groovy/com/netflix/spinnaker/orca/controllers/OperationsControllerSpec.groovy
@@ -48,6 +48,7 @@ import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpMethod
 import org.springframework.http.MediaType
 import org.springframework.test.web.servlet.setup.MockMvcBuilders
+import retrofit2.mock.Calls
 import rx.Observable
 import spock.lang.Specification
 import spock.lang.Subject
@@ -682,7 +683,7 @@ class OperationsControllerSpec extends Specification {
     def role = new Role().setName("some-role")
     def permission = new UserPermission().setId("foo").setAccounts([account] as Set).setRoles([role] as Set)
 
-    fiatService.getUserPermission(*_) >> permission.getView()
+    fiatService.getUserPermission(*_) >> Calls.response(permission.getView())
 
     when:
     def preconfiguredWebhooks = controller.preconfiguredWebhooks()
diff --git a/orca-webhook/orca-webhook.gradle b/orca-webhook/orca-webhook.gradle
index f4497c0268..f11388dafa 100644
--- a/orca-webhook/orca-webhook.gradle
+++ b/orca-webhook/orca-webhook.gradle
@@ -21,6 +21,7 @@ dependencies {
   implementation(project(":orca-core"))
   implementation(project(":orca-api"))
   implementation("io.spinnaker.kork:kork-core")
+  implementation("io.spinnaker.kork:kork-retrofit")
   implementation("io.spinnaker.kork:kork-web")
   implementation("org.springframework.boot:spring-boot-autoconfigure")
   compileOnly("org.projectlombok:lombok")
diff --git a/orca-webhook/src/main/java/com/netflix/spinnaker/orca/webhook/pipeline/PreconfiguredWebhookStage.java b/orca-webhook/src/main/java/com/netflix/spinnaker/orca/webhook/pipeline/PreconfiguredWebhookStage.java
index 2241957ed9..60da10f39c 100644
--- a/orca-webhook/src/main/java/com/netflix/spinnaker/orca/webhook/pipeline/PreconfiguredWebhookStage.java
+++ b/orca-webhook/src/main/java/com/netflix/spinnaker/orca/webhook/pipeline/PreconfiguredWebhookStage.java
@@ -19,6 +19,7 @@
 
 import com.netflix.spinnaker.fiat.shared.FiatService;
 import com.netflix.spinnaker.kork.exceptions.SystemException;
+import com.netflix.spinnaker.kork.retrofit.Retrofit2SyncCall;
 import com.netflix.spinnaker.orca.api.pipeline.graph.TaskNode;
 import com.netflix.spinnaker.orca.api.pipeline.models.StageExecution;
 import com.netflix.spinnaker.orca.webhook.config.WebhookProperties.PreconfiguredWebhook;
@@ -70,7 +71,7 @@ public void taskGraph(@Nonnull StageExecution stage, @Nonnull TaskNode.Builder b
     var permissions = preconfiguredWebhook.getPermissions();
     if (permissions != null && !permissions.isEmpty()) {
       String user = AuthenticatedRequest.getSpinnakerUser().orElse("anonymous");
-      var userPermission = fiatService.getUserPermission(user);
+      var userPermission = Retrofit2SyncCall.execute(fiatService.getUserPermission(user));
 
       boolean isAllowed = preconfiguredWebhook.isAllowed("WRITE", userPermission.getRoles());
       if (!isAllowed) {