Building a dedicated JWT endpoint for the Support SDK

According to the above steps , now I can test our JWT endpoint, the result same as the picture , return 200 and the result with "jwt" data. but when I call the zenDesk related api on android mobile, the zenDesk log hint 401 and return "{"error":"Couldn't authenticate you"}".

Please give me some hints how to solve this issue？

I have the same problem as candiceyang

Any updates?

This isn't secure though if I open an endpoint to get user information and return it without authentication of the requester. Is there an IP Address I can white label for this request or a way to verify that Zendesk is asking for a JWT?

How is user_identifier_provided_by_the_app used by Zendesk? Do you create a customer/user based on user identifier or is it based on returned email and phone from jwt token?

Providing simply the user identifier is not secure at all as mentioned by Colbey W. We're thinking to provide another token (retrieved by mobile app) which will be accepted by our jwt service and return the data based on the token.

Thanks!

Hi @... @... - Zendesk maintains a list of IPs that can be whitelisted here: Configuring your firewall for use with Zendesk

There have been discussions and interest in making the getting of this list more dynamic (versus just listing them in this article), but currently this is the list to use to configure whitelisting by your service.

Zendesk passes through the "user_identifier_provided_by_the_app" to your service. Your app can can encode a user ID, looking however you like. This process is to authenticate an existing user. The returned JWT from your service requires the user's email. See also Setting a unique identify -- it rounds out some of the information given in this article.

@..., @...

When I go into ZenDesk settings for the Mobile SDK and change the authentication type from anonymous to JWT, for a little while afterwards mobile applications trying to use ZenDesk JWT authentication get an error from ZenDesk saying that they are using the wrong authentication type. After a while, it starts working however. Is there a delay between when JWT authentication is enabled in the ZenDesk settings admin interface and when ZenDesk starts using those new settings? And if so, about how long is the delay? We've seen the delay last anywhere from as little as 10 minutes to as long as 3 hours. Is there any way to make this delay more consistant? Also, we've noticed that the delay is shorter for some clients than others. My theory is that there is some distributed system that settings changes get replicated across, and that some ZenDesk instances get the changes before others. Is that correct, or is there some other reason for the variable delay?

Here is PHP/symfony Implementation. 

https://gist.github.com/bhaktaraz/edbaa25c4100c9699bf1e5e2a80a8a90

Thanks @... for posting that example!

@... -- I don't see any documentation on an expected delay, but because a mobile app's setup should be relatively static and not change (at least not that often), there could perhaps be a delay. Do you have a use case where a mobile app's setup is changing often for some reason? Can you provide more details?

I'm also referencing this KB article: Building a dedicated JWT endpoint for the Support SDK 

One of our devs shared with us today that there could potentially be a delay when updating settings in the SDK, so I wanted to share this:

1. It is possible that there is a delay of up to 15 mins caching time at our edge servers before the updated settings would be returned from the back-end
2. The SDK caches settings for 1 hour, so if you try to use the SDK again during that 1 hour time, it will still be using the “old” settings. You can wait an hour, or you can uninstall/reinstall the app if you want to test the new settings.

I also want to point out that you can use both an anonymous identity, as well as a JWT identity in the same app. Just go to Channels >> Mobile SDK >> Add app and then you can create the other identity. You can choose when to initialize the two!

It's a shame there is no "Test it now" button in the Mobile SDK App Setup page. One where I could provide "unique_id" and get some kind of feedback whether the endpoint is reachable, returns correct JWT (content-wise and signature-wise).

Would it be possible to have this? It would definitely help decrease number of support tickets on your side.

Is there a way to avoid email in the jwt payload as I need to use phone as primary identity ?

I am receiving request from the zendesk on my lambda service with user_token that is sent from the mobile app. I am validating the necessary items and sending back the jwt after signing it with the secret. My response looks exactly the same with the curl example given above.

But on mobile it gives error code 400, body is null. What could be the issue. 

Nope, field must be present and non-empty. However, in case of JWT authentication, you can provide also external_id which will be used for customer matching instad of email. The primary identity is then in your hands.

Hello,
We are implementing a dedicated endpoint for use with the Zendesk SDK in order to authenticate users through a JWT. Our implementation in our backend works correctly, it returns the expected response. However, when we use the Zendesk SDK, there are no traces of a request being made from Zendesk to our servers, even though we have configured everything correctly, as instructed in this link: https://develop.zendesk.com/hc/en-us/articles/360001075248-Building-a-dedicated-JWT-endpoint-for-the-Support-SDK.

What do you think this might be?

Thank you

Usually the issue is with the JWT you return. I think I managed to get all the problems that might occur:
- undefined custom field
- inconsistent identity (different id with same email already existed in Zendesk)
- incorrect signature
- incorrect language code

Sadly you can get the explanation from Zendesk support only, which has 2-5 days reaction time.

Two things - you have to enable JWT authentication in Zendesk setup and make sure you initialize Zendesk SDK properly (you need to use the identity which expects customer identifier/token)

Hey @..., thank you for the answer.

We enabled the JWT authentication in Zendesk according to the documentation. Related to the SDK, we are using the following code (iOS):

Zendesk.initialize(appId: Bundle.main.zendeskAppID,
            clientId: Bundle.main.zendeskClientID,
            zendeskUrl: Bundle.main.zendeskURL)
        CommonTheme.currentTheme.primaryColor = .SecondaryBemon400
        // Authenticated session
        if let token = try? Session.Authentication.getPubID() {
            logger?.log("PubID: \(token)", level: .debug)
            if let instance = Zendesk.instance {
                let identity = Identity.createJwt(token: token)
                instance.setIdentity(identity)
                logger?.log("Zendesk itentity setup correctly", level: .info)
            } else {
                logger?.log("No Zendesk Instance was found. Zendesk session is not authenticated", level: .error)
            }
        } else { // Unauthenticated session
            let ident = Identity.createAnonymous()
            Zendesk.instance?.setIdentity(ident)
            logger?.log("Zendesk itentity with anonymous setup", level: .info)
        }
        Support.initialize(withZendesk: Zendesk.instance)
        Chat.initialize(accountKey: "dummykey")
        AnswerBot.initialize(withZendesk: Zendesk.instance,
                             support: Support.instance!)

We don´t know what could be failing.

Thanks again!

i have initialised the zendesk SDK on Android , and tried to get Identity with the help of following code:-

Identity identity = new JwtIdentity("unique_id");
Zendesk.INSTANCE.setIdentity(identity);

"unique_id" is the unique identifier of the user. 

My JWT not getting any hit from Zendesk Server.

I am getting following logs :-

D/OkHttp: <-- 401 https://{companyname}.zendesk.com/access/sdk/jwt (2896ms, 37-byte body)

D/GsonSerializer: Unable to deserialize the provided object into AccessToken

W/ZendeskIdentityManager: There is no stored access token, have you initialised an identity and requested an access token?

Can anybody help us with this issue ?

Note: We have replaced the actual name with {companyname} for the purpose of privacy