Recent searches


No recent searches

Enabling JWT single sign-on



image avatar

Charles Nadeau

Zendesk Documentation Team

Edited Oct 07, 2024


22

82

82 comments

Hello, 
Javier DM could you please create a support ticket for us as well? We have tried switching to POST and so far we have been getting CORS errors. We tried the form approach as below but that did not work either. 

var formData = new URLSearchParams();

formData.append('jwt', jwt);
formData.append('return_to', returnTo || 'https://xyz.com/');
// Make a POST request
fetch("xxx", {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: formData.toString() // Convert the form data to a string })
.then(response => {
if (response.ok) {
// Redirect
window.location = response.url;
} else {
console.error('POST request failed:', response.status, response.statusText);
}
})
We have also tried the traditional approach but that does not work either. 
sso_page = (
'<form id="jwtForm" method="POST" action="'
+action_url
+'">'
+'<input id="jwtInput" type="hidden" name="jwt" value="'
+jwt_string
+'" />'
+"</form>"
+'<script>window.onload = () => { document.forms["jwtForm"].submit(); };</script>'
)
return sso_page

The problem happens only with the switch to a POST request. GET request is working fine for us. Caroline Kello, would you share some examples of how that post request is supposed to look like? The GitHub link you have shared has old examples

1


Hi Zendesk,

Do you have any examples of a redirect using a POST request as mentioned in the article?

After successfully authenticating the user, redirect the user using a POST request that contains the JWT payload, sent to the following Zendesk endpoint:

https://yoursubdomain.zendesk.com/access/jwt

In our current setup, the server returns HTTP 302 to "/access/jwt" endpoint with a jwt payload in a query string which makes user's browser redirect to "/access/jwt". How do we convert that to "redirect using a POST"?

0


image avatar

Caroline Kello

Zendesk Product Manager

Folks, we've updated the article with some new examples. Take a look and let us know if it's helpful. 

-3


HI Caroline,

I am glad you got on the thread and are attempting to provide some solutions. I think there are two lines of thinking here in this thread since the deprecation announcement of the GET method process. I just want to make sure you are aware of it.

There is the one group asking about your run of the mill JWT generation and posting. Your updates appear to address that group. Which is fine.

However there is another group of us who know the process of generating JWT and have systems working fine with it. What we are interested in exploring is an alternate solution to having to submit a POST through some form via JavaScript. (Which the examples you have shown in a previous post suggest). 

Right now our servers authenticate the user and then once passed, have the user redirect via a 301 redirect GET response (or similar) to have the user's browser redirect back to Zendesk. Having to redirect the user to some page with a form on it, embed the JWT data and then submit via JS is just cumbersome. I hope you and your team are exploring alternative solutions to having to do this. I am not sure why we have to host a page just to implement this redirect method and why introduce JS into something that probably doesn't need to be in the flow to begin with.

I know you guys want to achieve keeping the value out of logs and browser history, but we can also set the expiry time on a token to be short (which is good practice) so even if seen, they shouldn't be valid unless used within the expiry time window.

I think many of us are just not sure why the added complexity.

3


Like other people in this thread, we too have will have to rearchitect our solution to fit with your new requirements.

I get the feeling that the scenario you have in mind is one where the user in visiting a JS SPA and then clicks a link that will redirect them to an authenticated session in  Zendesk.

This might be the case for a lot of your customers. Our scenarion is quite different. We have forward request to help.ourcompany.com to ourcompany.zendesk.com at the DNS level, and after a couple of redirect theuser ends up in an authenticated session in Zendesk.

With your changes we have make som pretty radical changes. Probably turning the thing served att help.ourcompany.com into a mini SPA.

I would like to urge you to reconsider your decision. Or maybe, like some other posters have suggested, make the POST requirement optional. 

0


We are working through Enabling JWT single sign-on migration.

When a user is authenticated, they are successfully logged into the app via the "return_to" param which in our case is https://support.{domain}.com 

When we receive the /access/unauthenticated response, the browser auto-redirects back to our sign-on page. Which is essentially the same as clicking "sign-in", bringing the user back to our remote login URL. 

However, we have no way of knowing if the zendesk authentication failed upon rendering our sign-on page. 

Because we can only submit this POST request as form data, we cannot capture the returned url after the request is made.

As of now, this introduces a loop in our system. Here are network details

4. Auto fetch: https://bitly.com/jwt/authorize (our remote login url)
  - verify user is signed in to our platform via auth cookies, generate jwt token
loops back to 
... continues

Can you please prevent the automatic redirection from https://support.bitly.com/access/unauthenticated to our remote login url. But instead redirect to the return_url (a url query param on the unauthenticated response), or display an auth error, or provide insight on how to handle this situation? 

I've looked through the admin console's single sign on settings, but there are not configuration changes we can make on our end. 

0


Hi Zendesk,

As per your request, we are trying to change our current process of Zendsesk single sign-on (SSO) requests to HTTP POST. Please note that while making the HTTP POST call from our C# code to your SSO API "https://{{subdomain}}.zendesk.com/access/jwt," we are getting a 403 Forbidden error.

But we are getting a response while calling this API through Postman. Could you please check on this issue ASAP?

1


image avatar

Mike DR

Zendesk Customer Care

Hi Alex!
 
As far as I know, that's the normal process for setting up SSO.

0


Hi team, I was able to configure jwt sso successful in web. however when I load the the same web url in the webview of the app, I ran into the invalid_token error. Can you please advice what I should check? 

0


Quang Cao try to decode the jwt here.. https://jwt.io/

If the token is valid (assuming not expired), you should see header and payload on the right side of the screen..

0


Test

1


Marco, it appears to the webview logic that defect to make double request. after making that proper, it works. 

0


Hi Team,

Recently I have implemented the new POST request for SSO and getting an error below while hitting the API from Postman as well as through the codebase.

 
rel="canonical">
<div class="notification notification-error">
        <div class="notification-inner">
            <span class="notification-icon"></span>
            <span class="notification-text">JWT signature invalid. The signature cannot be verified, check that your tokens match</span>
            <span class="notification-dismiss"></span>
        </div>
    </div>
 
I have tried resetting the shared key. It didn't work for me.

0


Hello team, 

we are moving from GET to POST for API "https://yoursubdomain.zendesk.com/access/jwt"
and i got this "<html><body>You are being <a href="myUrl">redirected</a>.</body></html>"

i think the authentication done as the technical documentation but i found when the url redirected it's returned to my app again without redirect on zendesk.

i got this redirect sequence:


https://yoursubdomain.zendesk.com/hc/en-us/restricted?return_to="myUrl"
https://yoursubdomain.zendesk.com/auth/v2/login/sso?auth_origin=114093984452%2Cfalse%2Ctrue&brand_id=114093984452&locale=en-us

 

i already allow Single sign-on (SSO) zendesk configuration.
Any help ?!

 

 

 

0


To everyone struggling with the POST request requirements, their documentation of the endpoint is not complete.

 

In their docs, they show posting JSON to the /access/jwt endpoint directly, which is actually not an option in HTML/JS as the endpoint does not allow OPTIONS requests so preflight requests will all fail.

 

The endpoint actually accepts data in the standard encoded form format. Their own examples show this. 

 

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Zendesk Login Redirect</title>
<script>
window.onload = function() {
document.getElementById('zendeskLogin').submit();
}
</script>
</head>
<body>
<form id="zendeskLogin" method="post" action="<zendesk_login_url>">
<input type="hidden" id="jwt" name="jwt", value="<token>">
<input type="hidden" id="return_to" name="return_to", value="<return_to>">
</form>
</body>
</html>

 

This is a template you can use to substitute in the `zendesk_login_url`, `return_to`, and `token` parameters and return it as HTML to be rendered which will then redirect you to the return_to parameter.

2


Caroline Kello I haven't seen any updates from you or your team about that process of providing a workaround for posting to the endpoint through a form you suggested. Is that something you guys are going to do or not? I am sure a lot of the devs following this thread would be very interested in that solution you proposed to me.

Thanks for following up.

0


Hey Zendesk team!

We are migrating from GET to POST as all here. I was able to make this work even by sending it via the following form:
 

<form method="post" action="https://{YOUR_ZENDESK_SUBDOMAIN}.zendesk.com/access/jwt?jwt={token}" />

 

Meaning, the JWT token is being sent not as a separate field but as an Action URL.

Is it something that will stop working after May 1?

Thanks for the answer!

0


Hello Team,

We are currently in the process of converting from GET to POST with the below endpoint
https://yoursubdomain.zendesk.com/access/jwt.

 

Due to our architectural constraints we cannot submit this from a form instead we are authenticating from an endpoint when the user tries to access a zendesk resource (Python).
 

we do get a 403 when I do an automatic redirect using the below code.

aiohttp.ClientSession().post(url, data=json.dumps(data), headers=headers, allow_redirects=True)


we get a 302 when the redirect is set to False
aiohttp.ClientSession().post(url, data=json.dumps(data), headers=headers, allow_redirects=False)

 

data looks like below - 

{'jwt': ‘jwt_token_generated_here’}

Does the 302 mean the user is authenticated? I dont think so since we cannot access any zendesk resources.

When i try to access a helpdesk link it hits the remote login URL set up in the zendesk admin page. (This means I was not authenticated)

 

Can you please advise.

 

Ani

 

 

 

0


Thanks to John Mahoney  for your response. I am using classic ASP.NET and didn't realize I needed a solution that worked from the client side. For me the solution was returning a page similar to this where it auto submits the form and triggers the redirect.

The Zendesk-provided github sample would be applicable if the user was submitting a form where the script is written client-side.

0


This solution does not work with Chrome, since it blocks any cross origin form requests and ignores the CSP form-action rule. Has anyone been able to get it work on Chrome?

0


Hi! If an end user is already signed in to my platform, is there a way to automatically authenticate with Zendesk without doing the redirect flow? Specifically I want to avoid authenticated users to go to the Zendesk dashboard and have to click on Sign In (unless they are authenticated).

My current flow is:

1. Authenticate into my platform.
2. Click on a help center link to redirect users to Zendesk.
3. User is not signed in to Zendesk, click sign in.
4. Zendesk sends users back to the platform, auth flow happens.
5. User was signed in to the platform, redirect to Zendesk after auth flow.

What I need is:

1. Authenticate into my platform.
2. Click on a help center link to redirect users to Zendesk.
3. User was authenticated into the platform so it is automatically authenticated into Zendesk without any additional action.

Thanks in advance!
 

0


Phone number is not updated to a zendesk account even if I set it in JWT token properly WITH android messaging SDK.

0


Please sign in to leave a comment.