JWT Mechanism for Authenticating Users in the ASAP Add-Ons - New Flow

Understanding the enhanced JWT mechanism for Authenticating Users in the ASAP Help Widget

Types of Users

End-users can be categorized as guests or authenticated users based on how they log in to the ASAP add-on.

Guest users

Guests are users who do not sign in while logging in to the ASAP add-ons. They can access the Knowledge Base module, submit a ticket, view their community's forums, and chat with the support agents.

Authenticated Users

Authenticated users who log in to the ASAP add-on. They can access the Knowledge Base module, submit a ticket, view their community's forums, chat with support agents, actively participate in their community, and perform actions, such as following a topic, adding an issue, tracking a submitted ticket status and commenting on existing posts.
On the ASAP help widget, you can determine the preferred modules and content that will be visible to your users.
To activate the ASAP add-on, refer to the ASAP help widget for Web help doc.

Importance of the JSON Web Token

The Internet Engineering Task Force (IETF), the body that created the JWT standard, defines JSON Web Token (JWT) as "a compact, URL-safe means of representing claims to be transferred between two parties."

What are claims? 

The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) form, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and encrypted.
 
The ASAP add-on provisioned via Zoho Desk is not a stand-alone app; it works with your business app, empowering it with the help center functionality.
 
When end-users log in to your business app, they might want to access all associated features, including the help center, through a single login.
 
Having to log in to the app with one set of credentials and the help center with another is inconvenient for the users because the services could use different authentication methods. This is where the new JWT authentication mechanism will make it easier for your users to access ASAP and the Help Center.
    •    JWT-based user authentication is only possible if Single Sign-On (SSO) is enabled in Zoho Desk. SSO provides flexibility to access different support systems using a single login credentials. If SSO is not allowed, end-users can only access the ASAP add-on as guest users.
    •    If you have a multi-branded portal, configuring SAML within the help center specifically for the ASAP department is sufficient. Otherwise, SAML needs to be configured in the default help center.

How do I enable JWT?

JWT secret is the essential component for JWT-based authentication. This is the unique code shared when you set up the ASAP add-on on Zoho Desk. It is used for signing user details, and this signed piece of data is called the JWT token. The JWT secret is shared only once while registering the ASAP add-on.
Please store the secret in a highly secure location, and don't share it with untrusted parties.

How does the JWT mechanism work?

JWT mechanism verifies the authenticity of a user of the main app and provides them with permission to use the ASAP-driven help center with the same credentials.

The Authentication Flow


  1. End-users will log in to the ASAP add-on using the credentials for their business app.
  2. The app will send its client ID, client secret, and JWT token containing user details (user email address, email verification status, and login time interval) signed with the JWT secret to the Customer's server for verification.
  3. The server will then decrypt the JWT Secret key and do the following verification actions.
  4. If the logged-in user is valid and existing, the server will generate the JWT token, considering them valid users of the help desk portal.
  5. If the logged-in user is valid and new, the server will add them as a user first to the Database, then generate the OAuth token, considering them new help desk portal users.
  6. By validating the user's login credentials, Zoho's Auth Server will generate the OAuth token and sign the user to their app.
  7. The server will also throw an error message if the logged-in users are invalid.

How to enable the JWT authentication for Web and Mobile Platforms


What is the role of the JWT endpoint?

Users set up the server endpoint, the JWT endpoint, before configuring JWT authentication for the ASAP add-on. This endpoint contains the code that generates the JWT. The JWT endpoint must also constantly run the following program with the JWT secret generated for your add-on.
  1.  import io.jsonwebtoen.SignatureAlgorithm;
     import javax.crypto.spec.SecretKeySpec;
     import java.security.Key;
     import io.jsonwebtoken.JwtBuilder;
     import io.jsonwebtoken.Jwts;
     import java.io.UnsupportedEncodingException;
     public static String generateJwt(String userToken) throws UnsupportedEncodingException
    {
     
String secretKey = ""; //This value will be given once add-on is created. Then replace the    provided value here
     long notBeforeMillis = System.currentTimeMillis();
     long notAfterMillis = notBeforeMillis + 300000;
     SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
     byte[] apiKeySecretBytes = secretKey.getBytes();
    
 Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
     JwtBuilder builder = Jwts.builder().signWith(signatureAlgorithm, signingKey);
     String jwt = builder.claim("email_verified", true)
     .claim("not_after", notAfterMillis)
     .claim("not_before", notBeforeMillis)
     .claim("email", <user_email_address_from_user_token>).compact();
     return jwt;
    }  

Claims

Description

email

Returns the email address of the user.

email_verified

A Boolean parameter that returns if the email address is verified or not and subsequently sends the OAuth token to the ASAP add-on.

not_before & not_after

Defines the duration after which the JWT expires. The value of these claims must be in the Coordinated Universal Time (UTC) format and expressed in milliseconds.

first_name

The first name of the user.

last_name

The last name of the user.


To ensure strong security, confirm that the time difference between the not_before & not_after parameters does not exceed 600000 milliseconds. (approximately ~ 10 minutes)
The JWT access token for the Web ASAP Help Widget will expire in one hour. Please ensure the JWT token in the provided code snippet is valid and up-to-date. It's important to note that after the token expires, it should only be generated and utilized on the server by the customer. Implementing the token on the client side may result in potential data leaks.

Code snippets to Authenticate users via the JWT mechanism on the old and new versions of ASAP

The server generates the OAuth Token if the JWT token consists of logged-in user information and provides the generated OAuth token to a client. The client could then use that token to prove the authenticity of the 'logged in as a registered Zoho user'.

Web

ASAP 1.0 (Older version)

Please use the code snippet below to implement the JWT (JSON Web Token) authentication mechanism in ASAP 1.0 version.

The code to get Zoho's server to generate the JWT token.
  1. window.ZohoHCAsapSettings={
               userInfo :{
                jwtToken : "generated-jwt-token"
              }
    }

ASAP 2.0 (New version) - The improved JWT mechanism

To implement JWT (JSON Web Token) authentication in Zoho Desk ASAP 2.0, you must follow a series of steps to manage the login, logout, and token retrieval dynamically. Below is a guide on how to achieve this.

You need to define a function that fetches the JWT token from your server and passes it to the success callback.
  1. let getJwtTokenCallback = (successCallback, failureCallback) => {
        // Fetch the JWT token from your server or authentication service
        fetch('/api/get-jwt-token') // replace with your actual endpoint
            .then(response => response.json())
            .then(data => {
                // Pass the JWT token to the success callback
                successCallback(data.token);
            })
            .catch(error => {
                // Handle any errors and pass the error to the failure callback
                failureCallback(error);
            });
    }
     
    // Invoke login with JWT token retrieval
    window.ZohoDeskAsapReady( () => {
        ZohoDeskAsap.invoke('login', getJwtTokenCallback);
    })
We need a callback on the first-page load to get the JWT token. After that, there's no need to pass the callback in the login API for subsequent loads.

Dynamic Login 

If you want to handle login dynamically, ensure that you invoke the login method whenever the user attempts to log in.

  1. function handleLogin() {
        window.ZohoDeskAsapReady( () => {
            ZohoDeskAsap.invoke('login', getJwtTokenCallback);
        })
    }
    // Example usage: attach this function to a login button
    document.getElementById('loginButton').addEventListener('click', handleLogin);

Handling Logout 

To handle the logout, you can use the following method:

  1. function handleLogout() {
        window.ZohoDeskAsapReady( () => {
            ZohoDeskAsap.invoke('logout');
        })
    }
    // Example usage: attach this function to a logout button
    document.getElementById('logoutButton').addEventListener('click', handleLogout);

How JWT works on page load 

  1. Session maintenance after login: Once logged in, the session will be maintained across page loads.
  2. Dynamic case on page load: For dynamic cases, the session will be maintained across page loads. If you want to log out after a page load, use the logout API.
  3. First-time login API call: On the first login API call, you must pass the JWT callback function as a parameter.

Implementation of JWT Authentication  

This setup provides a basic but functional approach to integrating JWT-based authentication with Zoho Desk ASAP 2.0.

Here's an example of putting it all together in a single code snippet:

  1. // Function to retrieve the JWT token
    let getJwtTokenCallback = (successCallback, failureCallback) => {
        fetch('/api/get-jwt-token') // replace with your actual endpoint
            .then(response => response.json())
            .then(data => {
                successCallback(data.token);
            })
            .catch(error => {
                failureCallback(error);
            });
    };
     
    // Login dynamically on page load
    window.onload = function() {
            //load this API after ASAP script
            window.ZohoDeskAsapReady( () => {
                ZohoDeskAsap.invoke('login', getJwtTokenCallback);
            })
    };
     
    // Manual login trigger (e.g., on button click)
    document.getElementById('loginButton').addEventListener('click', () => {
            window.ZohoDeskAsapReady( () => {
                ZohoDeskAsap.invoke('login', getJwtTokenCallback);
         })
    });
     
    // Logout handler
    document.getElementById('logoutButton').addEventListener('click', () => {
            window.ZohoDeskAsapReady( () => {
                ZohoDeskAsap.invoke('logout');
            })
    });

Android

The code to get Zoho's server to generate the JWT token. Refer to this help documentation.
  1. MyApplication.deskInstance.loginWithJWTToken(String jwtToken, ZDPortalCallback.SetUserCallback callback)

iOS

This new login method will indicate that the passed token is a JWT token. Refer to this help documentation.
  1. ZohoDeskPortalKit.login(withJWTToken: token, onCompletion: handler)

React Native

This new login method will indicate that the passed token is a JWT token. Refer to this help documentation.
  1. ZohoDeskPortalSDK.setJWTToken("JWT token",
    (msg) => {
    alert('Success Alert '+msg);
    } , msg => {
    alert('Failure Alert '+msg);
    });
User info script of ASAP JWT configuration should be done before loading the app's script

JWT Token Decoding


Points to remember

    1    The JWT token must be returned as a plain string.
    2    The JWT token must contain the email, email_verified, not_before, and not_after claims.
    3    A change in the app server time might affect the values set for the not_before and not_after params. Therefore, modify the JWT code when the app server time is changed, too. 
    4    Currently, only the HMACSHA256 algorithm is supported for signing in.

    Access your files securely from anywhere

      Zoho CRM Training Programs

      Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

      Zoho CRM Training
        Redefine the way you work
        with Zoho Workplace

          Zoho DataPrep Personalized Demo

          If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

          Zoho CRM Training

            Create, share, and deliver

            beautiful slides from anywhere.

            Get Started Now


              Zoho Sign now offers specialized one-on-one training for both administrators and developers.

              BOOK A SESSION





                          Quick Links Workflow Automation Data Collection
                          Web Forms Enterprise Begin Data Collection
                          Interactive Forms Workplace Data Collection App
                          CRM Forms Customer Service Accessible Forms
                          Digital Forms Marketing Forms for Small Business
                          HTML Forms Education Forms for Enterprise
                          Contact Forms E-commerce Forms for any business
                          Lead Generation Forms Healthcare Forms for Startups
                          Wordpress Forms Customer onboarding Order Forms for Small Business
                          No Code Forms Construction RSVP tool for holidays
                          Free Forms Travel
                          Prefill Forms Non-Profit

                          Intake Forms Legal
                          Mobile App
                          Form Designer HR
                          Mobile Forms
                          Card Forms Food Offline Forms
                          Assign Forms Photography
                          Mobile Forms Features
                          Translate Forms Real Estate Kiosk in Mobile Forms
                          Electronic Forms

                          Notification Emails for Forms Alternatives Security & Compliance
                          Holiday Forms Google Forms alternative  GDPR
                          Form to PDF Jotform alternative HIPAA Forms
                          Email Forms
                          Encrypted Forms
                          Embeddable Forms
                          Secure Forms
                          Drag and Drop form builder



                                            You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.




                                                Manage your brands on social media

                                                  Zoho Desk Resources

                                                  • Desk Community Learning Series


                                                  • Digest


                                                  • Functions


                                                  • Meetups


                                                  • Kbase


                                                  • Resources


                                                  • Glossary


                                                  • Desk Marketplace


                                                  • MVP Corner


                                                  • Word of the Day


                                                    Zoho Marketing Automation

                                                      Zoho Sheet Resources

                                                       

                                                          Zoho Forms Resources


                                                            Secure your business
                                                            communication with Zoho Mail


                                                            Mail on the move with
                                                            Zoho Mail mobile application

                                                              Stay on top of your schedule
                                                              at all times


                                                              Carry your calendar with you
                                                              Anytime, anywhere




                                                                    Zoho Sign Resources

                                                                      Sign, Paperless!

                                                                      Sign and send business documents on the go!

                                                                      Get Started Now




                                                                              Zoho TeamInbox Resources



                                                                                      Zoho DataPrep Resources



                                                                                        Zoho DataPrep Demo

                                                                                        Get a personalized demo or POC

                                                                                        REGISTER NOW


                                                                                          Design. Discuss. Deliver.

                                                                                          Create visually engaging stories with Zoho Show.

                                                                                          Get Started Now









                                                                                                              • Related Articles

                                                                                                              • Implementing a secure user authentication for help center using JWT

                                                                                                                User authentication and data exchange play a crucial role in today's interconnected digital world. The increasing reliance on online services, cloud computing, and the exchange of sensitive information necessitates robust mechanisms to verify the ...
                                                                                                              • Setting up the ASAP Help Widget on the Web

                                                                                                                Introduction The ASAP help widget for websites makes your help center easily available for your end-customers. By embedding this widget with your website, you can provide your customers with easy access to your: Customer support team (to raise ...
                                                                                                              • How to enable security and privacy settings on the ASAP Help Widget

                                                                                                                Protecting the privacy and security of your users is of the utmost importance when setting up an ASAP help widget. It is recommended that you establish trusted domains and enforce identity verification (IDV). This will prevent privacy violations and ...
                                                                                                              • How to install an ASAP Help Widget

                                                                                                                The ASAP (App Support Across Platforms) help widget in Zoho Desk is a stand-alone application that provides users with an in-app self-service platform. It works in tandem with your business and allows you to to integrate help center features directly ...
                                                                                                              • How to set the welcome message on the ASAP Help Widget

                                                                                                                Specifying the Welcome Message A personalized welcome message can serve as a friendly greeting for customers when they first access your ASAP help widget. You can include a brief introduction about your service and explain how it can benefit them, ...
                                                                                                                Wherever you are is as good as
                                                                                                                your workplace

                                                                                                                  Resources

                                                                                                                  Videos

                                                                                                                  Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                                                                  eBooks

                                                                                                                  Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                                                                  Webinars

                                                                                                                  Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                                                                  CRM Tips

                                                                                                                  Make the most of Zoho CRM with these useful tips.



                                                                                                                    Zoho Show Resources