Identify user in Zendesk JWT

10 Comments

  • Joseph May
    Comment actions Permalink

    Hi Roger-
    The Claims Set portion of the JWT should contain the user's email address, but it sounds like you're saying this isn't enough? Am I reading correctly? Would it be possible to perhaps provide some further context here? It sounds like you may be using our signed URLs feature, though clarification would be best.

    0
  • Arnaud Quillaud
    Comment actions Permalink

    Hello Joseph,

    Roger is talking about the JWT token in the context of a client side App: https://developer.zendesk.com/apps/docs/developer-guide/using_sdk#encoding-and-sending-json-web-tokens 

    We would like to have this JWT token contain a claim that uniquely identifies the logged in Zendesk user (preferably his email address). We can craft the JWT token from within the App (e.g. by making a call to zafClient.get('currentUser') to get the email address) but that is inherently insecure as everything is happening on the client side: a malicious user could for example use the browser debugger to alter the email address value on the fly, to impersonate somebody else.

    So we would like to know if there is a way for the Zendesk Proxy to add such identity related claim on the server side (e.g. by using some kind of template {{current_user.email}}).

    You indicate that the JWT should contain the user's email address. Is there another kind of token that we could leverage ?

    Now for the full context: We would like to have some kind of SSO between Zendesk Support and our Client App, launched from the Zendesk Support.

    One way to do that is for our Client App to make a request against our Authorization Server, passing a verifiable Zendesk JWT token in the request and getting back an access token in return.

    Another way I guess is to build a Server Side App and make use of the JWT token that comes with the first request: https://developer.zendesk.com/apps/docs/developer-guide/using_sdk#authenticating-zendesk-in-your-server-side-app . But we would like to avoid a Server Side App.

    We of course welcome any other solution that would satisfy the initial requirement.

    0
  • Joseph May
    Comment actions Permalink

    Hey Arnaud-
    Thanks for clarifying. I am going to speak with a colleague in order to provide you the best answer. I will be back...

    0
  • Roger Beggs
    Comment actions Permalink

    Thanks, Joseph.  Did you manage to find out anything?  This is quite an urgent question for us.

    0
  • Joseph May
    Comment actions Permalink

    Hi there Roger-

    My colleague in Developer Support is just returning to the office and I want to run it by him, but I think having a server-side component is going to be necessary to accomplish what you're looking to do.

    0
  • Joseph May
    Comment actions Permalink

    Roger-

    After conferring with my colleague, he confirmed that necessity of a server-side component. This article, Securing your Zendesk App Framework (ZAF) App, outlines the 'signed URLs' feature which I recommend.

    0
  • Roger Beggs
    Comment actions Permalink

    Thanks, Joseph.

    We are looking at the server-side component approach now.  The JWT that Zendesk provides has a "sub" claim with a URI identifying the user, which seems to include a numeric ID for the user.  Does this ID ever change, or is this a stable way we consider the user?

    For example, if we get a JWT with "sub" set to "https://support.zendesk.com/api/v2/users/1000.json", we are planning to provision a user in our system using 1000 as their ID, and then call the Zendesk REST API to get the rest of the user details.  Then when they load the application in the future, we will just look them up locally using the same ID.  Will that work?

    0
  • Bryan Flynn
    Comment actions Permalink

    Hi Roger. That ID is stable for the lifetime of that user for that Zendesk instance. Your approach should work.

    Note, however, that user records also have an "external_id" attribute. If you ever need more flexibility in your external system for identifying and tying together user records across Zendesk and your system, this field could also come in handy.

    0
  • Roger Beggs
    Comment actions Permalink

    Thanks, Bryan.  That external_id attribute won't be available in the JWT that is given to the server-side application, though, will it?

    0
  • Bryan Flynn
    Comment actions Permalink

    No, but could be queried on once you have the primary record. Just an option that might come in handy at some point to link systems that use different IDs.

    0

Please sign in to leave a comment.

Powered by Zendesk