Closing a modal automatically after OAuth redirect in a server-side app

6 コメント

  • Bryan - Community Manager
    コメントアクション Permalink

    I don't have an actual example to share Ben, but as you mention, a ZAF app requires those two query parameters to connect the ZAFClient object with the parent/agent window. It's also a requirement by OAuth to have a fixed redirect URL. So there's no obvious solution going that route.

    That said, one solution for an implicit grant flow that I've seen before is to:
    1. Set up a DOM event listener in your ZAF app with an associated function using something like: window.addEventListener("message", receiveOauthData);
    2. Call window.open in your ZAF app to the authorization endpoint of the system you're doing a grant flow against, passing all the necessary query parameters
    3. Once authorized, that site would redirect to what's declared in its OAuth client's fixed redirect. This would be a web app/server you control (maybe using something lightweight like Heroku). Keep in mind, this this is all happening in the same browser window from step 2.
    4. That fixed endpoint/page that you control would then send the resulting hash values back to the original window that opened it. This page would include code like:

    var targetWindow = window.opener;
    var hash = window.location.hash;
    targetWindow.postMessage(hash, "*");

    5. The listener that you set up in step 1 would pick up the postMesage call. After processing/parsing the hash value, you'd have the access token.

    There's a number of things that need to be set up (ex: the fixed endpoint and page) and possible security concerns (ex: would want to make sure in step 5 event.origin is equal to the endpoint from step 4). Despite all that, this would be the basic plumbing.

    Know that supporting OAuth in an easier fashion for ZAF apps is on the product's roadmap. I don't have an exact date or how that might be implemented, so keep an eye out on ZAF change log announcements for announcements.

    If any community member could share any other solutions and code, that would be great!

    PS -- if you're calling third-party API endpoints and can use an API token, you should explore using secure settings.
    PPS -- Don't forget about the Zendesk Apps framework online community either -- it might have other ZAF developers who have ideas.

    1
  • Ben Russert
    コメントアクション Permalink

    Thank you so much for the thorough response! I'm happy to hear easier OAuth login flows are on the roadmap! I meant to post this in the dev community board, but got lost!

    A postMessage solution could work I think, but I wanted to exhaust the simpler ZAF API possibilities before I went to that. Since the redirect page and the main ticket editor apps are on the same origin (the server I control) I won't need to post the token in the message data, just a "done" type of thing back to the ticket editor app so it can close the modal.

    The various security configurations (secure settings, signed urls, etc) are in the plans, but honestly I've been putting that off for last since the docs seem to indicate it won't work right with the convenient dev environment on the localhost ZAT server 😬.

    0
  • Bryan - Community Manager
    コメントアクション Permalink

    There are for sure a number of possible moving parts. As that link you gave mentioned, while it's a little more set up, you can test an app using 'zat server' locally that has secure settings, it just needs to be started with the --app-id command line setting. Some version of the app needs to be installed into your instance first, however (and for historical reasons you have to use the app's installation id, not the app id when using that setting). Good luck Ben -- let us know how it goes and if you run into other bumps along the way.

    1
  • Bryan - Community Manager
    コメントアクション Permalink

    >>>>

    Know that supporting OAuth in an easier fashion for ZAF apps is on the product's roadmap. I don't have an exact date or how that might be implemented, so keep an eye out on ZAF change log announcements for announcements.

    <<<<

    Hi Ben Russert -- just wanted to let you know it looks like a way to OAuth into a third-party service on app install will be coming soon. On install, an OAuth grant flow can be executed, with the access token stored as a secure setting. The token can then be subsequently used in client.request calls. Look for an announcement and documentation sometime in the next few weeks.

    1
  • Ben Russert
    コメントアクション Permalink

    I will find time to try it out in our app soon!

     

    (I just saw the announcement)

    0
  • Bryan - Community Manager
    コメントアクション Permalink

    Yes, it's been released! Keep in mind that the OAuth grant flow happens at app install AND that you can only do an OAuth grant flow against a third-party service -- OAuth'ing against a Zendesk instance will not work:

    "Note: This feature cannot be used to make API requests using OAuth to other Zendesk Support instances or other brands within an instance. The proxy layer does not allow access to other Zendesk instances."

    https://developer.zendesk.com/apps/docs/developer-guide/manifest#oauth

    0

ログインしてコメントを残してください。

Powered by Zendesk