Using OAuth authentication with your application

Return to top
Have more questions? Submit a request

56 Comments

  • Bryan - Community Manager
    Zendesk Developer Support

    Hi James. This article talks about the general OAuth grant flow for getting an authorization token to access the Zendesk Support product. We don't have any specific guidance if moving from the SalesForce solution you mention, however.

    If you have specific questions related to OAuth and Zendesk, we can work on answering those. Also, if you want to share your use case, maybe some additional information can help.

    0
  • James Lertora

    Hi Brian,

    Thank you for the quick response! 

    We host files for download on apache server, but require auth for users. We have links in Zendesk pointing to these resources, but again need to be authenticated. So the link in Zendesk could relate to "First Use" in the diagram above, I think. Any pointers will be helpful. Thanks again.

    0
  • Bryan - Community Manager
    Zendesk Developer Support

    If you're already authenticated into Zendesk Support product's agent interface, clicking on links inside ticket comments that lead to your asset server, that would be one scenario. This article might give a different perspective for that scenario (not necessarily an exact solution for you, but closer to this use case): Using OAuth to authenticate Zendesk API requests in a web app.

    If you're accessing these assets via an Apps framework app, that would be a different scenario and would benefit from secure settings.

    If these points still don't hit the mark James, I suggest reaching out to support@zendesk.com with more details related to your account and use cases and we can dig into more details there. Hope this is at least a step in the right direction.

    0
  • Colin Smith

    Hi, I was hoping to use the client-credentials grant type, but that isn't documented here, is it supported?

    https://oauth.net/2/grant-types/client-credentials/

    0
  • Bryan - Community Manager
    Zendesk Developer Support

    Hi Colin,

    The OAuth client credentials grant type isn't supported in Zendesk Support.

    Zendesk Chat does support it, however. There are specific setup steps needed. Instructions are here: Implementing an OAuth authorization flow.

    Because there is no "non-agent"/system type user, any token created always belongs to a specific agent or admin. This means any actions made with that token will appear to be done by the user who created the token.

    Hope this helps!

    0
  • Matt Frowe

    Is there any way to style the Zendesk Authorization page (where the user chooses to grant or deny access)?

    0
  • Nicole S.
    Zendesk Community Team

    Hi Matt -

    The Authorization page is not customizable. Several users have requested this, but the product team determined that it was not something they were going to open up for customization at this time.

    1
  • Max McDaniel

    Hi there, struggling to wrap my mind around API/OAuth here. We're evaluating a 3rd party tool integration who is requesting API access. With the understanding that this grants them unlimited access to our Zendesk instance, looking for a way to limit this authentication access. It seems like OAuth may be a possibility, but not clear exactly how it works. 

    Ideally we'd want to provision read-only access to CSAT response data, but permissioning doesn't seem to be that granular. Any thoughts?

    0
  • Bryan - Community Manager
    Zendesk Developer Support

    Hi Max,

    There are a number of ways to authenticate into Zendesk and it's not always clear what they all are and when to use a particular option.

    "API Tokens" (Admin > Channels/API > Settings/Token Access) act as a substitute for passwords. If you know the value of an account's API token and know an email in that account, you can combine the two (john@example.com/token:<tokenvalue>) to act under that particular user. Because they are so flexible, they should really only be used in a secure environment such as a backend server or within a script that has limited access.

    "OAuth Tokens" are generated under a particular user against an "OAuth Client" (Admin > Channels/API > OAuth Clients). Once generated, these always act under the user they were generated under. They should also be protected to some degree as they act as a "key" for that user to get into Zendesk. If an administrator generates a key for themselves, then that key has administrator rights, and so on with agents and end users (each having the respective rights their profile allows for).

    As you noticed, OAuth tokens can have scope as well. Scopes are documented here: https://developer.zendesk.com/rest_api/docs/support/grant_type_tokens#scope. If you want to limit scope and have the access key always be for a particular user, you should use OAuth tokens.

    Scope granularity, however, is not that fine. You may have to find a different way to access only CSAT data in a read-only way.

    Here are a few good articles that talk about authentication, too:
    Having the talk: Am I ready for a more advanced authentication option?
    Creating and using OAuth tokens with the API
    Authentication for API requests
    Generating a new API token

    Hope this helps get you to your next step.

    0
  • Yogesh Dahake

    Hi Team ,

    Any one of you have client code to request to zendesk to create user and tickets ? 

    0
  • Bryan - Community Manager
    Zendesk Developer Support

    Hi Yogesh Dahake -- The REST API community area is more focused on questions around general how-to integration questions -- you may have better luck on users sharing sample code:

    https://develop.zendesk.com/hc/en-us/community/topics/360000019807-Zendesk-REST-APIs

    I'd also check out these developer resource links on different ways to create integrations with Zendesk:

    0
  • Harshith Mysore Venkatesh

    I went through all the methods mentioned in the Zendesk portal to setup a OAuth Authentication, but in every method either username, password was required or the user is traversed to an Authentication page to authorize, both the things are same but different mode of input.I have a requirement where I have to get an access token or an authorization code with only the following details: client ID, Client Secret, redirect/callback URI. Can anyone please tell me the possibility of getting one?

    Thanks in advance for your feedback

    0
  • Matteo
    Zendesk Community Team

    Hello Harshith,

    Generally speaking, we want the user to provide a form of authentication in order to get an access token.

    I feel that it would be useful to know more about your use case, if you can expand on that.

    Thank you!

    0
  • Harshith Mysore Venkatesh

    Hi Matteo,

    Thanks for your prompt response, actually we had some integration challenges for zendesk in Matillion, for which we have an ongoing discussion(hopefully it will be resolved).In the mean time we were exploring other possible options such as "Client Credentials type" of OAuth authentication, as we have a requirement of having a system account rather than an account tied to an individual.

     

    Kind Regards,

    HV

    0
  • Matteo
    Zendesk Community Team

    Hi Harshith,

    No problems at all.

    At the moment, Core API OAuth flows require a user to either authorize via a UI (in the auth code/implicit grant flow) or directly via API in the password grant flow type. I am not aware of any other method you can sue to get around this, so I'm afraid what you're looking for is not possible.

    Let me know if there is anything else I can do for you.

    Thanks!

    0
  • lemon

    Hello,Charles Nadeau ,

    I have a question to confirm with you,After I apply for a global client,How to use this global to connect user_domain,
    1)What is this process like?
    2) How the domain entered by the user is passed to the parameters

    0
  • Bryan - Community Manager
    Zendesk Developer Support

    Hi lemon -- I replied over in your cross post at https://develop.zendesk.com/hc/en-us/articles/360001074388?page=1#comment_360004834134

    Check that out and see if it answers your question. Depending on what you're doing, you may not even need a global OAuth client.

    0
  • Caye Borreo

    Hi - I've been meaning to implement this in our custom app, but I keep getting this error:

     

    Access to XMLHttpRequest at 'https://<subdomain>.zendesk.com/oauth/tokens' from origin 'http://localhost:8001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

     

    I've tried requesting from localhost and 127.0.0.1 and even from our beta website, but to no avail. May I ask what can be done here or is there some auth restriction I haven't read up on yet?

    0
  • Greg - Community Manager
    Zendesk Developer Support

    Hi Caye! CORS and localhost don't get along very well, but I found a great article explaining how you can work around this! It isn't written by us, but it explains a number of different methods for resolving this.

    0
  • Manan

    Hello Zendesk Commnutity, 

    I need my application to login to Zendesk to create/update tickets. It's basically a deamon application (no user interaction), will the https://developer.zendesk.com/rest_api/docs/chat/auth#client-credentials-grant-type can be used for Support endpoints? It says grant type is experimental what does mean. Will this be deprecated soon or have limited support available for all Zendesk APIs? 

     

    Thanks in an advance

    0
  • Emile Cohen

    Hello Zendesk,

    I found this article very helpful to get the Auth0 token. However, I need to deploy my application on different subdomains and I do not know the name of those subdomains. It triggers a problem to redirect the user in the flow. Is the a way to work around this?

     

    Thanks in advance !

    0
  • Bryan - Community Manager
    Zendesk Developer Support

    Hi Emile Cohen. The solution would need to request that subdomain info from the user (either through, say, an input field on a form or some sort of preconfigured setting that your app can get to somehow).

    0
  • Greg - Community Manager
    Zendesk Developer Support

    Hi Manan! If you are looking for Support functionality, you can not use the Chat OAuth. You will need to use the Support OAuth, which you can find here.

    0
  • Manan

    Hey Greg - Community Manager Thanks for response. 
    What would be best practice for Deamon App login which requires an application to login to perform an action in Zendesk. So do you think using the "password" grant_type is idle for Support API while using Deamon apps?  

    0
  • Greg - Community Manager
    Zendesk Developer Support

    That really depends on your situation. Password grant types are useful if there is no user interaction required, but you'll want to ensure that your method of sending and storing the credentials are very secure.

    0
  • Manan

    Thank Greg - Community Manager for the prompt reply.  Security is essential while storing sensitive data. 

    Just to note, we were able to use the 'client_credentials' grant type for Support API successfully but since not supported and recommended we will go with alternative routes.

     

     

    0

Please sign in to leave a comment.

Powered by Zendesk