Visitor authentication - failed to validate claims
AnsweredIt has been few days in which I'm struggling to figure out the visitor authentication of the chat - without any success :(
Here is my code please help!!
Server (Ruby)
The Password I use is from the shared secret section in here:
https://lionwheel.zendesk.com/chat/agent#widget/widget_security
Here is the token I get back to the JS:
Seems that although the JWT looks great, I get http 400 error: "failed to validate claims" error:
Please help!
-
Hi Guy! I see that you're passing in a jti parameter in your payload, which I am not certain that we support. Could you remove that and try again to see if that resolves this issue for you?
-
@... - thanks for your response.
Tried it and unfortunately it still doesn't work - still see same error :(
Please help!
-
Hi Guy, apologies for the delay here. I'm not seeing anything hitting our servers from either of your accounts, with respect to JWT. What I would recommend doing is reading through this article and then use our Rails sample code, as we have used this in the past with no issues. Please let us know if that resolves the issue for you.
-
Hi, I've the same problem (I followed the instructions)
Request URL: https://id.zopim.com/authenticated/web/jwt
Request Method: POST
Status Code: 400
Remote Address: 107.23.111.133:443
Referrer Policy: no-referrer-when-downgradeResponse:
{
"success": false,
"error": "failed to validate claims"
} -
I am having the same issue as the other users. The last response given by Greg Katechis did not link to the correct information. I followed this article exactly and I am still getting the "error": "failed to validate claims". Please advise asap.
-
Hi there,
Upon checking the screenshots, I am able to see that you are encoding the shared secret in base64 encode.
Our JWT shared secret is NOT base64 encoded. I've noticed that many JWT libraries assume that the shared secret is base64 encoded, and the signature they end up generating is invalid. Can you see if that's the case with the library you're using? Also, you can just treat it as string.
For more info, please visit: Generating a new shared secret
I hope this help. Please open a support ticket, in case you need further assistance, to review this internally.
Sincerely,
-
Solved my issue, kind of a dumb one. In my converting the timestamps (iat and exp) to seconds from milliseconds I was leaving on a decimal and passing that to the token creation. Once I rounded my timestamps to whole numbers I was golden.
-
Hi Nate Babbel
Glad to hear that! Good News!
This can help other users that might experiment this issue in the future.
Thanks for your help! -
I faced the same error, my solution was as follows:
The external ID I used for the JWT payload was an INT and not a STRING and as it seems the Zendesk Chat authentication is quite strict about this - other than the JWT used for SSO or the Widget itself.
Once I casted the value to a string, the authentication finally worked. 👌
-
Thanks for sharing your solution, Florian!
-
[SOLVED] I was facing the same error
{
"success": false,
"error": "failed to validate claims"
}I am not sure what i am missing here ...
Solution:
By the time I use the generated JWT token, the token gets expired, settint the expiry time to 2 minutes solved my issue
-
Hi, I'm a little late to the party, but I'm running into a similar issue. First off I want to point out that about halfway through this thread, the answers start pointing to using JWT for SSO and not for chat authenticate. For example the first answer to the OP says to remove the jti param from the payload, but the articles linked in this thread are for SSO and definitively show that you need to have a jti param in the payload making this really confusing to follow along with.
I have followed the instructions on this guide: Enabling authenticated visitors in Web Widget (Classic) https://support.zendesk.com/hc/en-us/articles/4408838925082.
When my web widget loads on the screen I am getting this 400 error: "Zendesk Chat Web SDK: Error: init: Failed to verify token: jwt verification error"
But if I take the resultant JWT to an online JWT debugger it says the signature is verified.
My secret is not base64 encoded. I am using the ruby-jwt gem as outlined in the Zendesk documentation linked above. The gem is required via rails, and thus is not explicitly required in my snippet below.
My Ruby code:
def zendesk_jwt_endpoint
# This is and endpoint to call from the javascript portion to support JWT tokens in zendesk
payload = {
:name => "#{current_user.name.present? ? current_user.name : current_user.assumed_name_from_email}",
:email => "#{current_user.email}",
:iat => DateTime.now.to_i,
:exp => (DateTime.now + 6.minutes).to_i,
:external_id => current_user.id
}
# this syntax below is directly from the documentation in the ruby-jwt
# gem for JWT.encode.
token = JWT.encode payload, "#{ENV.fetch('ZENDESK_SHARED_SECRET','')}", 'HS256', {"typ": "JWT", "alg": 'HS256'}
render json: {jwt:token}
endMy Javascript code (sample)
webWidget: {
authenticate: {
chat: {
jwtFn: function(callback) {
fetch('/zendesk_jwt_endpoint').then(function(res) {
res.text().then(function(jwt) {
callback(jwt);
});
});
}
}
}
} -
I believe I have solved my issue which I reported earlier. I'm updating this thread in hopes that someone else with the same error can benefit from what I discovered.
There were a couple of small nuances in the ruby code which were not demonstrated in the Zendesk Code Examples.
iat = DateTime.now.to_i
exp = (DateTime.now + 6.minutes).to_i
shared_secret = "#{ENV.fetch('ZENDESK_CHAT_SHARED_SECRET','')}"
token = JWT.encode({
:name => "#{current_user.name}",
:email => "#{current_user.email}",
:iat => iat,
:exp => exp,
:external_id => "#{current_user.id}"
}, shared_secret, 'HS256')
render json: tokenNuance #1: The ruby code example doesn't show the exp attribute in the JWT encode function although their documentation does say you need it in the section above the code examples.
Nuance #1: I am not entirely certain this is necessary, but it can't hurt. The :external_id value needs to be a string.
Nuance #3: The code examples don't state that you need to define the algorithm. You will probably cobble together from other comments and posts that you need to define the type and algorithm in the JWT headers, but this is not demonstrated. If you review the readme documentation for the JWT gem, you will see how to correctly pass the algorithm header. https://github.com/jwt/ruby-jwt
Nuance #4: You have to specifically render the value in the response as a json string. This is necessary not only for the javascript function to read it properly, but also for your unit tests ;). No need to render back as a key value pair though, just send the encoded token value back.
Once I updated my JWT generator code with these nuances, the 400 error went away. I hope this helps someone looking for help getting past the 400 error.
PS: if you want to see my javascript to fetch the jwt token value, see my previous comment in this thread.
Please sign in to leave a comment.
13 Comments