Recent searches
No recent searches
Email in a JWT request
Posted Dec 01, 2021
We’re in the process of implementing JWT-authentication for one of our apps instead of Anonymous authentication. We're using native support SDK for Android/iOS.
‘JWT Claims set’ of a JWT request should contain an email address, which, according to the respective article, is used as the unique identifier for a user unless an external ID is received.
It appears that “Email” is not an optional field, and a claims set should contain some email for a user to be identified.
Is it possible to use a placeholder email address instead of the one provided by a user with JWT authentication for it to work? Question is also brought up by GDPR-related concerns.
Please advise.
We're using the following documentation.
1
3 comments
Greg Katechis
Hi Mikhail! This is something that I tested a long time ago and the answer is probably not what you're hoping for...using a placeholder email address will cause a problem, unless you can ensure that each placeholder email address is unique. I'll use these two scenarios as an example, #2 is the one specifically that will be relevant to you:
Bob is in your account with the email bob@example.com and an external_id of 1001.
Alice is in your account with the email alice@example.com, but no external ID.
1. You send us a JWT payload with newbob@example.com and an external_id of 1001. Because this email address is completely new to your account, this will succeed, and bob@example.com will be overwritten with newbob@example.com.
2. You send us a JWT payload with alice@example.com and and external_id of 1001. Because this email address already exists in your account, this will fail. No changes will be made to Bob's user profile.
3. You send us a JWT payload with newbob@example.com and an external id of 1002. Because this does not match the newbob@example.com/1001 pair, this will fail. It does not matter if this external ID exists already in your account or not. If you ever wanted to associate newbob@example.com with a different external ID, you'd need to delete their entire user profile (or specifically delete the external ID with the REST API.)
As such, if you used a single placeholder email address, every subsequent payload that you sent us would be rejected. I would definitely not recommend going the route of a unique placeholder email for each of your users, as you will then run into issues communicating with them. It would be best to discuss this with your legal team to determine what steps would allow you to be GDPR-compliant while using the customer's email. We can not advise on that topic at all.
0
Mikhail Nikitin
Thank you!
Would like to receive additional clarification regarding the information provided previously.
Will user email addresses be used by Zendesk beyond the process of uniquely identifying a user? If so, could you please specify how exactly? To send email notifications or be relayed to some internal or external services for any kind of processing, maybe? Will GDPR-compliance be maintained in any such case?
It would be preferable for us to identify users by external IDs instead of email addresses since in most cases MobileSDK is the channel used by our users to submit requests. I understand, however, that email address is required.
0
Greg Katechis
The email address is going to be used in a variety of ways depending on how you set up your instance. As you mentioned, one possibility would be sending email notifications and another option would be their login method.
With respect to anything related to GDPR, we can not make any comments regarding compliance outside of our public disclosure that you can find here. If you have additional questions regarding GDPR, you will want to speak with an appropriate legal or business entity.
0