Types of Users
End-users can be categorized as guests or authenticated users based on how they log in to the ASAP add-on.
Guest users
Guests
are users who do not sign in while logging in to the ASAP add-ons. They
can access the Knowledge Base module, submit a ticket, view their
community's forums, and chat with the support agents.
Authenticated Users
Authenticated
users who log in to the ASAP add-on. They can access the Knowledge Base
module, submit a ticket, view their community's forums, chat with
support agents, actively participate in their community, and perform
actions, such as following a topic, adding an issue, tracking a
submitted ticket status and commenting on existing posts.
![](https://static.zohocdn.com/zoho-desk-editor/static/images/info.png)
On the ASAP help widget, you can determine the preferred modules and content that will be visible to your users.
Importance of the JSON Web Token
The
Internet Engineering Task Force (IETF), the body that created the JWT
standard, defines JSON Web Token (JWT) as "a compact, URL-safe means of
representing claims to be transferred between two parties."
What are claims?
The
claims in a JWT are encoded as a JSON object that is used as the
payload of a JSON Web Signature (JWS) structure or as the plaintext of a
JSON Web Encryption (JWE) form, enabling the claims to be digitally
signed or integrity protected with a Message Authentication Code (MAC)
and encrypted.
The ASAP add-on provisioned via Zoho Desk
is not a stand-alone app; it works with your business app, empowering it
with the help center functionality.
When end-users log
in to your business app, they might want to access all associated
features, including the help center, through a single login.
Having
to log in to the app with one set of credentials and the help center
with another is inconvenient for the users because the services could
use different authentication methods. This is where the new JWT
authentication mechanism will make it easier for your users to access
ASAP and the Help Center.
![](https://static.zohocdn.com/zoho-desk-editor/static/images/info.png)
• JWT-based user authentication is only possible if Single Sign-On
(SSO) is enabled in Zoho Desk. SSO provides flexibility to access
different support systems using a single login credentials. If SSO is
not allowed, end-users can only access the ASAP add-on as guest users.
• If you have a multi-branded portal, configuring SAML within the
help center specifically for the ASAP department is sufficient.
Otherwise, SAML needs to be configured in the default help center.
How do I enable JWT?
JWT
secret is the essential component for JWT-based authentication. This is
the unique code shared when you set up the ASAP add-on on Zoho Desk. It
is used for signing user details, and this signed piece of data is
called the JWT token. The JWT secret is shared only once while
registering the ASAP add-on.
![](https://static.zohocdn.com/zoho-desk-editor/static/images/file.png)
Please store the secret in a highly secure location, and don't share it with untrusted parties.
How does the JWT mechanism work?
JWT
mechanism verifies the authenticity of a user of the main app and
provides them with permission to use the ASAP-driven help center with
the same credentials.
The Authentication Flow
- End-users will log in to the ASAP add-on using the credentials for their business app.
- The app will send its client ID, client secret, and JWT token containing user details (user email address, email verification status, and login time interval) signed with the JWT secret to the Customer's server for verification.
- The server will then decrypt the JWT Secret key and do the following verification actions.
- If the logged-in user is valid and existing, the server will generate the JWT token, considering them valid users of the help desk portal.
- If the logged-in user is valid and new, the server will add them as a user first to the Database, then generate the OAuth token, considering them new help desk portal users.
- By validating the user's login credentials, Zoho's Auth Server will generate the OAuth token and sign the user to their app.
- The server will also throw an error message if the logged-in users are invalid.
What is the role of the JWT endpoint?
Users
set up the server endpoint, the JWT endpoint, before configuring JWT
authentication for the ASAP add-on. This endpoint contains the code that
generates the JWT. The JWT endpoint must also constantly run the
following program with the JWT secret generated for your add-on.
- import io.jsonwebtoen.SignatureAlgorithm;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import java.io.UnsupportedEncodingException;
public static String generateJwt(String userToken) throws UnsupportedEncodingException
{
String secretKey = ""; //This value will be given once add-on is created. Then replace the provided value here
long notBeforeMillis = System.currentTimeMillis();
long notAfterMillis = notBeforeMillis + 300000;
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
byte[] apiKeySecretBytes = secretKey.getBytes();
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
JwtBuilder builder = Jwts.builder().signWith(signatureAlgorithm, signingKey);
String jwt = builder.claim("email_verified", true)
.claim("not_after", notAfterMillis)
.claim("not_before", notBeforeMillis)
.claim("email", <user_email_address_from_user_token>).compact();
return jwt;
}
Claims | Description |
email | Returns the email address of the user. |
email_verified | A
Boolean parameter that returns if the email address is verified or not
and subsequently sends the OAuth token to the ASAP add-on. |
not_before & not_after | Defines
the duration after which the JWT expires. The value of these claims
must be in the Coordinated Universal Time (UTC) format and expressed in
milliseconds. |
first_name | The first name of the user. |
last_name | The last name of the user. |
![](https://static.zohocdn.com/zoho-desk-editor/static/images/info.png)
To
ensure strong security, confirm that the time difference between the
not_before & not_after parameters does not exceed 600000
milliseconds. (approximately ~ 10 minutes)
![](https://static.zohocdn.com/zoho-desk-editor/static/images/file.png)
The
JWT access token for the Web ASAP Help Widget will expire in one hour.
Please ensure the JWT token in the provided code snippet is valid and
up-to-date. It's important to note that after the token expires, it
should only be generated and utilized on the server by the customer.
Implementing the token on the client side may result in potential data
leaks.
Code snippets to Authenticate users via the JWT mechanism on the old and new versions of ASAP
The
server generates the OAuth Token if the JWT token consists of logged-in
user information and provides the generated OAuth token to a client.
The client could then use that token to prove the authenticity of the
'logged in as a registered Zoho user'.
Web
ASAP 1.0 (Older version)
Please use the code snippet below to implement the JWT (JSON Web Token) authentication mechanism in ASAP 1.0 version.
The code to get Zoho's server to generate the JWT token.
- window.ZohoHCAsapSettings={
userInfo :{
jwtToken : "generated-jwt-token"
}
}
ASAP 2.0 (New version) - The improved JWT mechanism
To implement JWT (JSON Web Token) authentication in Zoho Desk ASAP 2.0, you must follow a series of steps to manage the login, logout, and token retrieval dynamically. Below is a guide on how to achieve this.
You need to define a function that fetches the JWT token from your server and passes it to the success callback.
- let getJwtTokenCallback = (successCallback, failureCallback) => {
// Fetch the JWT token from your server or authentication service
fetch('/api/get-jwt-token') // replace with your actual endpoint
.then(response => response.json())
.then(data => {
// Pass the JWT token to the success callback
successCallback(data.token);
})
.catch(error => {
// Handle any errors and pass the error to the failure callback
failureCallback(error);
});
}
// Invoke login with JWT token retrieval
window.ZohoDeskAsapReady( () => {
ZohoDeskAsap.invoke('login', getJwtTokenCallback);
})
![](https://static.zohocdn.com/zoho-desk-editor/static/images/file.png)
We need a callback on the first-page load to get the JWT token. After that, there's no need to pass the callback in the login API for subsequent loads.
Dynamic Login
If you want to handle login dynamically, ensure that you invoke the login method whenever the user attempts to log in.
- function handleLogin() {
window.ZohoDeskAsapReady( () => {
ZohoDeskAsap.invoke('login', getJwtTokenCallback);
})
}
// Example usage: attach this function to a login button
document.getElementById('loginButton').addEventListener('click', handleLogin);
Handling Logout
To handle the logout, you can use the following method:
- function handleLogout() {
window.ZohoDeskAsapReady( () => {
ZohoDeskAsap.invoke('logout');
})
}
// Example usage: attach this function to a logout button
document.getElementById('logoutButton').addEventListener('click', handleLogout);
![](https://static.zohocdn.com/zoho-desk-editor/static/images/info.png)
How JWT works on page load
- Session maintenance after login: Once logged in, the session will be maintained across page loads.
- Dynamic case on page load: For dynamic cases, the session will be maintained across page loads. If you want to log out after a page load, use the logout API.
- First-time login API call: On the first login API call, you must pass the JWT callback function as a parameter.
Implementation of JWT Authentication
This setup provides a basic but functional approach to integrating JWT-based authentication with Zoho Desk ASAP 2.0.
Here's an example of putting it all together in a single code snippet:
- // Function to retrieve the JWT token
let getJwtTokenCallback = (successCallback, failureCallback) => {
fetch('/api/get-jwt-token') // replace with your actual endpoint
.then(response => response.json())
.then(data => {
successCallback(data.token);
})
.catch(error => {
failureCallback(error);
});
};
// Login dynamically on page load
window.onload = function() {
//load this API after ASAP script
window.ZohoDeskAsapReady( () => {
ZohoDeskAsap.invoke('login', getJwtTokenCallback);
})
};
// Manual login trigger (e.g., on button click)
document.getElementById('loginButton').addEventListener('click', () => {
window.ZohoDeskAsapReady( () => {
ZohoDeskAsap.invoke('login', getJwtTokenCallback);
})
});
// Logout handler
document.getElementById('logoutButton').addEventListener('click', () => {
window.ZohoDeskAsapReady( () => {
ZohoDeskAsap.invoke('logout');
})
});
Android
The code to get Zoho's server to generate the JWT token. Refer to this help documentation. - MyApplication.deskInstance.loginWithJWTToken(String jwtToken, ZDPortalCallback.SetUserCallback callback)
iOS
This new login method will indicate that the passed token is a JWT token.
Refer to this help documentation.- ZohoDeskPortalKit.login(withJWTToken: token, onCompletion: handler)
React Native
This new login method will indicate that the passed token is a JWT token.
Refer to this help documentation.- ZohoDeskPortalSDK.setJWTToken("JWT token",
(msg) => {
alert('Success Alert '+msg);
} , msg => {
alert('Failure Alert '+msg);
});
![](https://static.zohocdn.com/zoho-desk-editor/static/images/file.png)
User info script of ASAP JWT configuration should be done before loading the app's script
Points to remember
1 The JWT token must be returned as a plain string.
2 The JWT token must contain the email, email_verified, not_before, and not_after claims.
3 A change in the app server time might affect the values set for
the not_before and not_after params. Therefore, modify the JWT code when
the app server time is changed, too.
4 Currently, only the HMACSHA256 algorithm is supported for signing in.
![](https://static.zohocdn.com/zoho-desk-editor/static/images/info.png)
References