Update, January 25th, 2022: End user authentication is now available for all Zendesk customers who have messaging enabled. Detailed support documentation is listed below:
- For Zendesk Admins implementing end user authentication, a detailed guide can be found here.
- For the developers of Zendesk customers, detailed developer documentation can be found here.
- For Zendesk Agents, this guide can explain the impacts on the agents' experience.
Introduction
For many of our customers, an important part of a customer service experience is the ability to be able to verify the identity of a user and to be able to reflect that verified user's identity to their support agents. Authentication enables agents to be assured of the identity of the person who they are communicating with, which in turn can enable them to make decisions on next actions in the conversation, or to share sensitive information which may help to progress a support case.
Zendesk is aiming to deliver end user authentication for all Zendesk customers that have messaging and Agent Workspace enabled in January, 2022. If you are a business planning on implementing end user authentication for messaging, or require end user authentication functionality in messaging in order to use the product, we have provided a high level summary below on how authentication in messaging will work, and give you some guidance as to what will be needed in order to set up authentication on your website or mobile apps.
In January, we will release more detailed admin documentation to describe the changes to Admin Center, as well as detailed developer documentation that will define the steps that your developer will need to execute.
How end user authentication will work
Key concepts
End user authentication is quite straight forward, but there are a number of key concepts that Zendesk Admins and your developer should be aware of:
- JSON Web Tokens (JWT) for authentication. Zendesk uses JSON Web Tokens (JWT) for authentication in messaging. For a deep dive on JWTs, jwt.io is an excellent resource. Zendesk uses signed tokens that verify the integrity of the claims contained within them.
- The signing key. Your Zendesk Admin will need to create a signing key in Admin Center (illustrated below) that your developer will be able to use to sign the JWT with whenever it's required. The creation of the signing key will be a straightforward process in Admin Center. We will provide detailed instructions for your Zendesk Admin on the management of signing keys with the release of authentication.
- A unique user identifier. An externalId is a string that can have any value you like, but must be unique within a given Zendesk brand. Examples of externalIds include usernames, GUIDs, or any existing ID from your own user directory. The externalId should map to a unique identity in your existing user directory. The externalId should always reference an external entity; in other words you should not reuse any id that was assigned by Zendesk as an externalId. When choosing an externalId you should also ideally avoid using user properties that change, like a phone number.
- Users' name and email address. Your business will be able to send the users' name and/or email in the JWT payload at authentication time, but it is not necessary to do so. All Zendesk needs to authenticate your user is a unique user identifier in the signed JWT payload. Including the name or email may assist your support agent in communication with your user however, as this information will be reflected in Agent Workspace.
NOTE: If the email address is not used as the unique user identifier, the email address will not be displayed in Agent Workspace initially. This is a limitation of the product that we are working to remove. See the Product Constraints section below for more information.
How these concepts work together
The first step is for your Zendesk Admin to create the signing key in Admin Center, and provide this key (which will contain a secret) to your developer. Your developer will then need to implement a service on your business' back-end that can create the signed JWT and return this to your website or mobile app when requested (steps 1 and 2 below). Any time your user is logged in to your website or app, your developer will need to call an equivalent login API which will be provided in both the Zendesk Web Widget and the Mobile SDKs. At login time, the JWT will be passed to Zendesk in order to verify the claimed identity of the user (step 3 below).
Once this is complete, the user is authenticated and their identity has been verified with Zendesk, the user will not be prompted to provide their name or email address when being transferred to an agent. The user will appear as verified in Agent Workspace (as illustrated below). If the user was already engaged in a conversation with an agent prior to being authenticated, their conversation with the support agent will not be interrupted.
Product constraints
There are two important product constraints that will remain with this rollout of end user authentication in messaging:
- Guide articles that require user authentication will not be accessible. We will be required to make additional improvements to the messaging product in 2022 to enable users to view Guide articles that require user authentication. Guide articles that require authentication will not be available to users initially, even if they are authenticated. Articles that do not require user authentication are not impacted.
- Email addresses in Agent Workspace. The email address of the end user will not be visible in Agent Workspace initially. This is also a limitation that we will be actively working to remove in 2022. We would encourage businesses who wish to view the user’s email address in Agent Workspace to include this data in the JWT payload in order to prevent future development once this limitation is removed, but it is not necessary.
Planning the set up of end user authentication
There are three distinct pieces of work that you will need to plan in order to implement authentication via the Zendesk Web Widget and/or the Mobile SDKs.
1. Creating the signing key
Creating the signing key in the Admin Center will be a straightforward task. We will provide a guide for your Zendesk admin with the release of authentication in order to support your admin in this initiative.
2. Creating a back-end service to create and sign the JWT
The creation of a back-end service to create and sign the JWTs will require more effort, and you should ask your developers to estimate the effort for this activity. You should allow additional time for processes such as internal security audits, and data management reviews. We will provide a detailed developer document with the release of authentication in order to support your developers in this initiative.
3. Implement authentication in the Zendesk Web Widget or Mobile SDKs
Assuming that you have already migrated to messaging, on each client platform that you support, your developer will need to implement a call to the new login and logout APIs that Zendesk will provide for each client platform. We will provide a detailed developer document with the release of authentication in order to support your developer in this initiative. If you have not yet migrated to messaging, you should complete this migration in advance of setting up end user authentication.
Next steps
Businesses planning to implement authentication for the Zendesk Web Widget or Mobile SDKs at the beginning of 2022 should plan to allow effort to complete the above tasks once the authentication release is available in January. Once the release is available, it will be announced in Zendesk's monthly marketing email, and will be communicated in the release notes for the Zendesk Web Widget and Mobile SDKs. If you encounter any issues in setting up authentication, we'll be happy to support you on Zendesk Community, or through a dedicated support ticket.
16 Comments
That's exciting news! for our case knowing the user is critical - we must be sure the users are properly authenticated and we can do critical changes on their behalf.
Regarding the agent experience, will be, that every user comment will have an "authenticated" badge? Will it be possible to configure different workflows/views for authenticated/non authenticated users. Will it be possible to receive authenticated status via API?
Hi Антон!
Correct. Each comment that is posted by the user, while they are authenticated, will have a badge. Not comments posted before they became authenticated.
In regards to the end-user experience, we will be bringing more conditional to the Flow Builder in the future around conditions such as the authentication state of the users. This won't be possible initially. From the agent workflow point of view, the authentication badge will be the only change for how.
We won't be providing client-side APIs to check if authentication status in the Web Widget or mobile SDK, but please let me know if this would be useful moving forward. You could potentially use the Sunshine Conversations API to retrieve user information including the authentication status, as all you need to the unique user identifier (and API access of course).
Thank you for building this functionality. It is really needed.
Haven't different Flow Builder experience is huge benefit for an authenticated user. We would use that once it becomes available.
Will this authenticated user concept be able to be used in conjunction with future product releases with having integrated call-back requests within Messenger? I know that is on the roadmap, I just don't know when.
Do you mind explaining your use case in a little more detail here please? Sorry for the delaying response.
Sure. If we have an authenticated user, I would want to provide a dynamic flow to have the ability to schedule a call-back request. If they are not authenticated within our system, then the flow would have a slight variation and they could not schedule a call-back request.
Yes, this type of conditionality in FlowBuilder is on our roadmap as a high priority, but I can't give specific dates at this point in time. If you implement end-user authentication (once it's releases in the coming days), you'll be able to leverage this user state (authenticated / not authenticated) for this type of dynamic flow once it is available.
Hi Mick! Has this feature already been released? Do we have an estimate for when it will be rolled out? We are implementing Zendesk right now in our company and would love to implement it with Messaging.
Thank you!
Hi Lúcia Mees,
Jumping in for Mick here. End user authentication for messaging has now been released (as of January 25th). More info can be found here.
- Miranda.
Hi team,
We are just getting started with ZenDesk and just implemented end user authentication. We are noticing that our end users that chat in to us come in completely blank user profiles besides their name.
We have done bulk upload of our users and we were expecting the chats to get associated based on external_id. Is there another way to do this? Otherwise the agents aren't sure about which organization they are talking to and the end user cant see their chat in the help center.
Separately we also see the chat constantly asking for the user's name even though we have logged them in and we see the call is successful from the smooch apis. Any advice on this?
Thank you!!!
Christopher Triolo Did you manage to solve the issues? We are seeing the same with asking for name and also not linking correctly via the external_id in the JWT token.
Christopher, Danny, the external ids are available on hover over the authentication badge next to via messaging.
We are currently working on associating the external id with user profile. Expect it to be rolled out in early May. After that, external ids provided in the API will be propagated to the user profile. If a user with the same external id exists in the system, the messaging ticket will be associated to that user.
We will create a ticket for the name prompt.
-Prakruti
Hi There,
I'm just wondering what the status of this is. We have a Zendesk plugin that relies on either email or external_id to show some additional user context from our systems. As neither of these things are passed through by Zendesk messaging for authenticated users we can't actually show any of that at the moment. It does sound from the above chat that once the new Zendesk changes have been released then our issues will be resolved, but just wondering if this is imminent?
Hello - Also curious on the timing of associating an authenticated user's conversations with an existing end-user profile which has a matching external_id. Sounds like it was targeted for release last month - any updates on expected timing would be very helpful.
Danny Larsen sorry for the late reply here. No I never figured it out. Here's what I did:
1) Re-uploaded all my users with external_id being their login email as opposed to their unique uuid in my system.
2) Set the JWT external_id as the email address of the logged in users
3) Trained my CS team (agents) to hover over the checkmark and then merge the users based on email.
External Id matching would still be extremely helpful to my agents.
Prakruti Hindia Re: Name prompting issue. I'm still getting it. I'm worried my users are being spammed for no reason. I'd expect the name to NOT be prompted if we use JWT auth. Screenshots below:
Hi there,
I was just wondering if the changes mentioned by Prakruti Hindia above have been released yet in terms of linking the Zendesk messaging user with a Zendesk user. We are waiting for this to be released before we can go live with our Zendesk messaging implementation. We basically need the user info for authenticated chat users to be available via the Zendesk API.
It was mentioned above that this should be out in early May - just wondering if there is any update on this?
Thanks in advance,
Malcolm
Hi folks,
I have dropped an update here - https://support.zendesk.com/hc/en-us/articles/4411666638746/comments/4684780332570.
Christopher, I recommend creating a ticket with us. Email capture should be skipped when the end-user is authenticated.
- Prakruti
Please sign in to leave a comment.