If you're developing an integration for Zendesk Support, you can use OAuth authentication to let users grant access to Zendesk Support to your integration. If the integration is for only one Zendesk Support instance, you can create a single, subdomain-specific OAuth client in your Zendesk Support instance. This approach is described in Using OAuth authentication with your application.
However, the setup isn't as simple if you're developing an integration for more than one Zendesk Support instance. You'd have to ask a Zendesk Support admin in each instance to create an OAuth client to connect to your service. They'd also have to provide you with their client ids and secrets. Your app would then have to manage the ids and secrets to request access tokens from the correct Zendesk Support instances.
Fortunately, you can request a global OAuth client from Zendesk Support. A global OAuth client is a secure, cleaner way of using OAuth authentication with multiple Zendesk Support instances. The admins in each instance don't have to set up any OAuth clients.
For security reasons, the global OAuth client will not work with the password grant flow.
Do I need a global OAuth client?
Let's say you develop an internal app that pulls data from your company's Zendesk Support instance. Using a local OAuth client is an efficient solution because a Zendesk Support admin -- yourself or maybe a colleague -- can easily create the client in Zendesk Support.
Now suppose you work for a company that makes a CRM integration for multiple customers with their own Zendesk Support instances. You'd prefer not to ask your customers to manually create local OAuth clients in their Zendesk Support instances just to use your product. A global OAuth client is the solution.
Requesting a global OAuth client
-
Develop your app using a local OAuth client in your Zendesk account. Ensure your Unique Identifier is prefixed with the string "zdg-". For example, "zdg-global-unique-identifier".
-
After the app is finished and ready to use across multiple Zendesk Support accounts, submit your request as described below.
Note: Make sure you note down the secret and the identifier before making your request. Otherwise you'll lose access to the client administration page after the local client is converted.
-
Sign in to the Zendesk Developers portal and then select My Account from the menu on the upper-right side.
-
Click OAuth Client Globalization in the left navbar, then complete the request form.
If the request is approved, we'll convert your local OAuth client to a global OAuth client.
If your request is rejected for whatever reason, you can still implement OAuth in your integration using a local OAuth client. You'll need to have each of your customers create a local OAuth client and provide information about the OAuth client before they can connect your service to their Zendesk Support instance.
Frequently asked questions
Why do you need my subdomain even with a global client?
Unlike services like Twitter or Facebook that behave as global authentication systems, Zendesk maintains separate logins for each Zendesk Support account or subdomain. When a customer signs in, they're signing into a specific Zendesk Support subdomain. That carries over to OAuth. When a Zendesk Support account owner uses OAuth to authorize your service, they're authorizing the service for their subdomain. So we need to know the subdomain.
Prompting the user for their Zendesk Support subdomain can still be beautifully simple:
Why can't I edit my global client?
We must take control of the client to make it global. It can only be edited by our Platform Team. If you're having trouble with your global client, contact us for assistance.
6 Comments
Hi Zendesk Team Zendesk @... After I apply for the global client,How should I use this client to authorize user_domain?
How to pass the parameters of the authorization link, and whether the access domain is the user's domain or the global domain, If it is a global domain, how should the user domain be passed to the authorized link
In addition, how is example_prompt.png triggered, and what are the links before and after the trigger?
Thank you very much!
Hi lemon -- I would check out this article: Creating and using OAuth tokens with the API
Setting up a global OAuth client is needed if you're thinking of developing a Zendesk Marketplace app that is used by different customers who each have their own unique Zendesk Support subdomain.
To answer you're question, it's up to you to request the customer's subdomain. In this workflow, it's your third-party/remote service that wants to access the customer's Zendesk instance. If this is the case in the integration that you're considering to write, it would be this remote service that they would be logged into (some sort of admin portal probably) that then asks for their Zendesk subdomain, that then does the OAuth grant flow steps.
In the end, a "global" OAuth client is just another OAuth client -- the advantage is that you don't have to ask each separate customer to set it up -- it's already set up for them. Meaning that this is really just a convenience feature.
Hi!
There is no any submit form now, but a link only:
Is the procedure changed? I can't see how to do it on the page linked, just our already submitted apps.
Hi Михаил! If you already have a global OAuth, you will not see the option to request it. Can you confirm whether or not your subdomain already has this associated with the account?
Hi Greg!
I've already found the solution - the form is here now https://apps.zendesk.com/organization
Great to hear that! I'll put in a note to the documentation team to update that page to include some more detailed instructions as well. Thanks for the update!
Please sign in to leave a comment.