Using OAuth authentication with your application

Have more questions? Submit a request

21 Comments

  • Seven Zhang

    Thank you very much.

    0
  • Aditya Verma

    My application supports only Oauth 1.0, will I be able to use Oauth authentication with Zendesk?

    Regards,
    Aditya

    0
  • Bryan Flynn

     Hi Aditya -- The OAuth 2.0 flows mentioned above are the ones Zendesk supports.

    Along with this article, here's some more background info on the supported OAuth 2.0 options: https://support.zendesk.com/hc/en-us/articles/203663426-Having-the-talk-Am-I-ready-for-a-more-advanced-authentication-option

    Hope this helps!

    0
  • Jens Holmer

    Hi There, 

    First of all its a pretty good guide. Making OAuth flow work with the example from Implicit Grant Flow, was very easy :)

    However id like to be using the Authorization code grant flow instead. So i followed your steps and I am getting Authorization Code from query parameter code just fine. But when i run the provided Curl snippet or xhr to the token endpoint I get error invalid_client with  error description "The client identifier provided is invalid, the client failed to authenticate, the client did not include its credentials, provided multiple client credentials, or used unsupported credentials type".

    I've been checking my provided credentials over and over, since that would be the obvious place for my issue. I've Also tried to regenerate the client_secret and then granting new code to try with but i am having no luck.

    Just in case my body is: 

    {
    "grant_type": "authorization_code",
    "code": "8d535c<....>",
    "client_id": "50789",
    "client_secret": "c4497<...>",
    "redirect_uri": "http://localhost:8080",
    "scope": "read"
    }

     

    Any help will be highly appreciate :)

     

    0
  • Bryan Flynn

    Hi Jens -- try setting client_id to the "Unique Identifier" value in your Zendesk's Admin > API > OAuth Clients dialog -- should look something like this (although 'test_oauth_client' will be a different value in your case):

    For this particular API call, the numeric ID of your client_id is not the value you want to pass -- you want to pass the alpha-numeric OAuth client value. Let me know how this works.

     

    1
  • Jens Holmer

    It works !! Great Thanks alot. I believe I had tested that before. Might've been using wrong redirect along with it since one had changed it cause we didnt notice that it was possible to add more with newlines :). 

    Have nice day.

    0
  • Nicole - Community Manager

    Glad to hear you got things working, Jens! 

    Also, I see that this is your first post - Welcome to the Zendesk Community! I encourage you to head over to the Introductions thread in The Lounge to introduce yourself to everyone and familiarize yourself with our Community Guidelines.

    We look forward to seeing you around the Community. Happy Zendesking!

    0
  • Jens Holmer

    Thanks Nicole,

    I've actually worked 5+ years now with Zendesk - Jens is just a "incognito"-profile. It offers a great API. 

    What I am\was trying to do is to make customers authorize without having there access_token exposed. and that works now :) 

    I am still grubbling over 2 things though. I cant seem to find any information about what the authenticity_token is for ? And I cant seem to find a way to be able to retrieve an refresh_token ?

    0
  • Bryan Flynn

    Hi Jens -- the authenticity_token is useful if, say, you're in the Help Center and want to do AJAX calls back into Zendesk. It basically is a CSRF token that you can use on subsequent calls. If you don't have it, even though you're authenticated, you'll get a 403. You should be able to do something like this (get the token, then use it in a subsequent call):

    $.ajax('/api/v2/users/me.json').then(function(response){
      var token = response.user.authenticity_token;
      console.log(token);
      $.ajax({
        url: '/api/v2/community/posts/1150007/up.json',
        type: "POST",
        dataType: "application/json",
        headers: {
           "X-CSRF-Token": token
         }
      }).then(function(res){console.log(res)});
    });
     
    Know that a user already needs to be authenticated to use this technique. The Apps framework doesn't need this technique because the framework maintains the integrity of the session when making client.request calls.
     
    As far as OAuth refresh tokens go, Zendesk currently doesn't support those. Once you have a token, it doesn't expire unless explicitly revoked.
     
    0
  • Andrew Paugh

    The oauth flow is working in my application, but there is one small issue that I've run into with our flow sometimes.

    The /oauth/authorizations/new page seems to cache credentials, so that if I redirect to it after a user has already authenticated, it immediately redirects to my callback rather than displaying the login form. This is not desired for my scenario because I do want to give my users the opportunity to log in to a different Zendesk account. (Though this scenario is relatively rare)

    Is there any parameter I can pass to /oauth/authorizations/new to not use the cached session? Essentially I just want it to load the login prompt every time instead of letting users "stay signed in". If the user clears their cookies then they'll see the login prompt again, but I'm wondering if there is anything that our application can control.

    0
  • Bryan Flynn

    Hi Andrew.

    The /oauth/authorizations/new endpoint is just for 'authorization' not 'authentication', so there are no explicit options to manage logins.

    However, doing an explicit logout before you call the /oauth/authorizations/new endpoint should do it. Something like:

    window.location.href = 'https://yoursubdomain.zendesk.com/access/logout';

     

    0
  • jonathan szigethy

    Im currently experiencing issues with this Curl query.

    curl https://domain.zendesk.com/oauth/tokens \
    -H "Content-Type: application/json" \
    -d '{"grant_type": "authorization_code", "code": "0f9c9c141a8cd5fcbb1483e05cbaa7d35d1f7a44a45477954bd38e1330df6909",
    "client_id": "zendesk_auth", "client_secret": "secretklæfdflæhkdfklæhlædfkhlæsecret",
    "redirect_uri": "https://localhost:9000/tokens/exchange-token", "scope": "read" }' \
    -X POST

     

    response:

    {"error":"Couldn't authenticate you"}

     

    Ive trippled checked the secret, code, client id, redirect_uri and permissions.

    I can't find any reason in this :)

    I can access the the correct json response with following URL, but only from browser with shared_sessions cookie.

    https://domain.zendesk.com/api/v2/oauth/tokens?grant_type=authorization_code&code=258fb8a8743928ae0eff68cd54c9a2e24c032139cf49f15980dca792673e844c&client_id=zendesk_auth&client_secret=secretklæfdflæhkdfklæhlædfkhlæsecret&redirect_uri=https://localhost:9000/tokens/exchange-token&scope=read

     

    Does anyone know this issue or am i doing something wrong ?

     

    Thanks in advance!

     

     

    0
  • Bryan Flynn

    Hi Jonathan,

    My guess is that your authorization code is invalid in some way -- i.e. it's already been used (so expired), or was created and has gone stale (authorization codes should not last forever).

    I would go back, generate a new authorization code value, and use it right away. Let us know how that goes. If you're still having problems, I would submit a ticket to support@zendesk.com, so we can dive deeper into the issue with your particular environment.

    0
  • jonathan szigethy

    Hi Bryan,

     

    Thank you for your response!

    It doesn't seem that the code is the issue here, Its my authServiceApp thats handles the request/repsonses, and it retrieves a new authorization code every time, but still receives the Unauthorized response.

    So far i can read from the API documentation, it should not be handling cookies in the requests aswell ? The reason i am asking is my browser with my current session cookie, can easily access the correct json from the same type of request.

     

     

     

     

    0
  • Bryan Flynn

    Hi Jonathan. In that case, please open a ticket with support@zendesk.com and we can diagnose your particular account and workflow more closely. This is a general-use how-to article, so is not going to be the best place to figure this particular situation out. Thanks!

    0
  • jonathan szigethy

    Hey Bryan.

    Thank your for your help !

    I'll continue the investigation :)

    0
  • Lucas Crostarosa

    When going to production, how can my server capture the subdomain of the incoming request for a Global oAuth Token?

    0
  • Nhia Lor

    Hi Lucas,

    The process of capturing the subdomain is something that you'll need to develop and implement yourself as part of your user authentication workflow.  It can be a simple form/field to prompt and capture this information so that it can be used to construct the URL of the request.

    You can also find some additional documentation and user discussions of this in our article here - https://develop.zendesk.com/hc/en-us/articles/360001074388-Requesting-a-global-OAuth-client-for-a-Zendesk-Support-integration

    Hope this helps!

    1
  • Dru Kepple

    Is it possible to be a little more generic with the redirect URIs? I'd like to do something like a wildcard with `https://developers.hp.com/*` so I can allow any page that starts with that domain. We have lots and lots of individual pages, and rather than redirecting users to some generic home page, or listing every single possible page out in the OAuth settings, it would be great to just say "hey, this domain is cool," and have it work as long as I redirect users to that domain, regardless of the actual page/path.

    0
  • Raffaele Guasco

    Hi, I can't follow the steps 2 and 3 in my java application.

    After the 1st step, I give the grant how the second step describes.

    The code in the URL in the browser close the redirect URL I saw but for 1 second. How can I retrieve that value in java?

    The third step, where do I find the response with those parameters? 

    After the second step from the browser, I don't return in my java application. 

    How do I do?

    I'm struggling to implement this authentication, but I need more specific tips to implement that.

    Can someone give me more details?

    Many thanks.

    0
  • Bryan Flynn

    Hi guys. I just saw these posts. Hopefully you find these answers still helpful...

    @Dru -- Because of the security design around OAuth, the redirect URL(s) defined in the OAuth client can't be wildcards. By maintaining very strict, known redirects, redirects to unexpected, possibly malicious web sites are avoided. You can, however, enter more than one redirect URL in your client and indicate the one you want to use in your grant flow.

    @Raffaele -- Implementing OAuth grant flows is not trivial. Your technology stack (what kind of backend server you're running, the primary language, and other factors) can add to the learning curve. Because of all that, helping debug and write an authorization grant flow is beyond the scope here. There are resources out there that might help, however. I would look at this or similar resources (keyword search on Java, OAuth, authorization code grant flow, ...) to familiarize yourself more with all the steps and details to consider: OAuth 2.0 clients in Java programming.

    Hope these points help at least to some degree. Regards.

    0

Please sign in to leave a comment.

Powered by Zendesk