Visitor authentication - failed to validate claims

Answered

13 Comments

  • Greg Katechis
    Zendesk Developer Advocacy

    Hi Guy! I see that you're passing in a jti parameter in your payload, which I am not certain that we support. Could you remove that and try again to see if that resolves this issue for you?

    0
  • Guy Dubrovski

    @... - thanks for your response.

    Tried it and unfortunately it still doesn't work - still see same error :(

     

    Please help!

    1
  • Greg Katechis
    Zendesk Developer Advocacy

    Hi Guy, apologies for the delay here. I'm not seeing anything hitting our servers from either of your accounts, with respect to JWT. What I would recommend doing is reading through this article and then use our Rails sample code, as we have used this in the past with no issues. Please let us know if that resolves the issue for you.

    -2
  • Gabriele Biella

    Hi, I've the same problem (I followed the instructions)

    Request URL: https://id.zopim.com/authenticated/web/jwt
    Request Method: POST
    Status Code: 400
    Remote Address: 107.23.111.133:443
    Referrer Policy: no-referrer-when-downgrade

    Response:

    {
    "success": false,
    "error": "failed to validate claims"
    }

    2
  • Nate Babbel

    I am having the same issue as the other users. The last response given by Greg Katechis did not link to the correct information. I followed this article exactly and I am still getting the "error": "failed to validate claims". Please advise asap.

    1
  • Julio H
    Zendesk Customer Care
    Hi there,

    Upon checking the screenshots, I am able to see that you are encoding the shared secret in base64 encode.

    Our JWT shared secret is NOT base64 encoded. I've noticed that many JWT libraries assume that the shared secret is base64 encoded, and the signature they end up generating is invalid. Can you see if that's the case with the library you're using? Also, you can just treat it as string.

    For more info, please visit: Generating a new shared secret  

    I hope this help. Please open a support ticket, in case you need further assistance, to review this internally.

    Sincerely,
    0
  • Nate Babbel

    Solved my issue, kind of a dumb one. In my converting the timestamps (iat and exp) to seconds from milliseconds I was leaving on a decimal and passing that to the token creation. Once I rounded my timestamps to whole numbers I was golden.

    0
  • Julio H
    Zendesk Customer Care

    Hi Nate Babbel

    Glad to hear that! Good News! 

    This can help other users that might experiment this issue in the future. 

    Thanks for your help!

    1
  • Florian Nowak-Klos

    I faced the same error, my solution was as follows:

    The external ID I used for the JWT payload was an INT and not a STRING and as it seems the Zendesk Chat authentication is quite strict about this - other than the JWT used for SSO or the Widget itself.

    Once I casted the value to a string, the authentication finally worked. 👌

    0
  • Dave Dyson
    Thanks for sharing your solution, Florian!
    0
  • Gaurav Garg

    [SOLVED] I was facing the same error 

    {
    "success": false,
    "error": "failed to validate claims"
    }

    I am not sure what i am missing here ...

     

    Solution: 

    By the time I use the generated JWT token, the token gets expired, settint the expiry time to 2 minutes solved my issue

    0
  • Ryan Stuhl

    Hi, I'm a little late to the party, but I'm running into a similar issue. First off I want to point out that about halfway through this thread, the answers start pointing to using JWT for SSO and not for chat authenticate. For example the first answer to the OP says to remove the jti param from the payload, but the articles linked in this thread are for SSO and definitively show that you need to have a jti param in the payload making this really confusing to follow along with. 

    I have followed the instructions on this guide: Enabling authenticated visitors in Web Widget (Classic) https://support.zendesk.com/hc/en-us/articles/4408838925082.

    When my web widget loads on the screen I am getting this 400 error: "Zendesk Chat Web SDK: Error: init: Failed to verify token: jwt verification error"

    But if I take the resultant JWT to an online JWT debugger it says the signature is verified.

    My secret is not base64 encoded. I am using the ruby-jwt gem as outlined in the Zendesk documentation linked above. The gem is required via rails, and thus is not explicitly required in my snippet below.

    My Ruby code:

    def zendesk_jwt_endpoint
    # This is and endpoint to call from the javascript portion to support JWT tokens in zendesk
    payload = {
    :name => "#{current_user.name.present? ? current_user.name : current_user.assumed_name_from_email}",
    :email => "#{current_user.email}",
    :iat => DateTime.now.to_i,
    :exp => (DateTime.now + 6.minutes).to_i,
    :external_id => current_user.id
    }
    # this syntax below is directly from the documentation in the ruby-jwt
    # gem for JWT.encode.
    token = JWT.encode payload, "#{ENV.fetch('ZENDESK_SHARED_SECRET','')}", 'HS256', {"typ": "JWT", "alg": 'HS256'}
    render json: {jwt:token}
    end

    My Javascript code (sample)

    webWidget: {
    authenticate: {
    chat: {
    jwtFn: function(callback) {
    fetch('/zendesk_jwt_endpoint').then(function(res) {
    res.text().then(function(jwt) {
    callback(jwt);
             });
    });
    }
    }
    }
    }

     

    0
  • Ryan Stuhl

    I believe I have solved my issue which I reported earlier. I'm updating this thread in hopes that someone else with the same error can benefit from what I discovered. 

    There were a couple of small nuances in the ruby code which were not demonstrated in the Zendesk Code Examples.

    iat = DateTime.now.to_i
    exp = (DateTime.now + 6.minutes).to_i
    shared_secret = "#{ENV.fetch('ZENDESK_CHAT_SHARED_SECRET','')}"

    token = JWT.encode({
     :name => "#{current_user.name}",
     :email => "#{current_user.email}",
     :iat => iat,
     :exp => exp,
     :external_id => "#{current_user.id}"
    }, shared_secret, 'HS256')

    render json: token

    Nuance #1: The ruby code example doesn't show the exp attribute in the JWT encode function although their documentation does say you need it in the section above the code examples. 

    Nuance #1: I am not entirely certain this is necessary, but it can't hurt. The :external_id value needs to be a string.

    Nuance #3: The code examples don't state that you need to define the algorithm. You will probably cobble together from other comments and posts that you need to define the type and algorithm in the JWT headers, but this is not demonstrated. If you review the readme documentation for the JWT gem, you will see how to correctly pass the algorithm header. https://github.com/jwt/ruby-jwt

    Nuance #4: You have to specifically render the value in the response as a json string. This is necessary not only for the javascript function to read it properly, but also for your unit tests ;). No need to render back as a key value pair though, just send the encoded token value back. 

    Once I updated my JWT generator code with these nuances, the 400 error went away. I hope this helps someone looking for help getting past the 400 error. 

    PS: if you want to see my javascript to fetch the jwt token value, see my previous comment in this thread.

    0

Please sign in to leave a comment.

Powered by Zendesk