Understanding the enhanced JWT mechanism for Authenticating Users in the ASAP Help Widget
Types of Users
End-users can be categorized as guests or authenticated users based on how they log in to the ASAP add-on.
Guest Users
Guests are users who do not sign in while logging in to the ASAP add-ons. They can access the Knowledge Base module, submit a ticket, view their community's forums, and chat with the support agents.
Authenticated Users
Authenticated users who log in to the ASAP add-on. They can access the Knowledge Base module, submit a ticket, view their community's forums, chat with support agents, actively participate in their community, and perform actions, such as following a topic, adding an issue, tracking a submitted ticket status and commenting on existing posts.
- On the ASAP add-on, you can determine the preferred modules and content that will be visible to your users.
- To activate the ASAP add-on, refer to the ASAP add-on for Web help doc.
Importance of the JSON Web Token
The Internet Engineering Task Force (IETF), the body that created the JWT standard, defines JSON Web Token (JWT) as "a compact, URL-safe means of representing claims to be transferred between two parties."
What are claims?
The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) form, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and encrypted.
The ASAP add-on provisioned via Zoho Desk is not a stand-alone app; it works with your business app, empowering it with the help center functionality.
When end-users log in to your business app, they might want to access all associated features, including the help center, through a single login.
Having to log in to the app with one set of credentials and the help center with another is inconvenient for the users because the services could use different authentication methods. This is where the new JWT authentication mechanism will make it easier for your users to access ASAP and the Help Center.
• JWT-based user authentication is only possible if Single Sign-On (SSO) is enabled in Zoho Desk. SSO provides flexibility to access different support systems using a single login credentials. If SSO is not allowed, end-users can only access the ASAP add-on as guest users.
• If you have a multi-branded portal, configuring SAML within the help center specifically for the ASAP department is sufficient. Otherwise, SAML needs to be configured in the default help center.
• If you have a multi-branded portal, configuring SAML within the help center specifically for the ASAP department is sufficient. Otherwise, SAML needs to be configured in the default help center.
How do I enable JWT?
JWT secret is the essential component for JWT-based authentication. This is the unique code shared when you set up the ASAP add-on on Zoho Desk. It is used for signing user details, and this signed piece of data is called the JWT token. The JWT secret is shared only once while registering the ASAP add-on.
Please store the secret in a highly secure location, and don't share it with untrusted parties.
How does the JWT mechanism work?
JWT mechanism verifies the authenticity of a user of the main app and provides them with permission to use the ASAP-driven help center with the same credentials.
The Authentication Flow
- End-users will log in to the ASAP add-on using the credentials for their business app.
- The app will send its client ID, client secret, and JWT token containing user details (user email address, email verification status, and login time interval) signed with the JWT secret to the Customer's server for verification.
- The server will then decrypt the JWT Secret key and do the following verification actions.
- If the logged-in user is valid and existing, the server will generate the JWT token, considering them valid users of the help desk portal.
- If the logged-in user is valid and new, the server will add them as a user first to the Database, then generate the OAuth token, considering them new help desk portal users.
- By validating the user's login credentials, Zoho's Auth Server will generate the OAuth token and sign the user to their app.
- The server will also throw an error message if the logged-in users are invalid.
How to enable the JWT authentication for Web
How to enable the JWT authentication for Mobile Platforms
What is the role of the JWT endpoint?
Users set up the server endpoint, the JWT endpoint, before configuring JWT authentication for the ASAP add-on. This endpoint contains the code that generates the JWT. The JWT endpoint must also constantly run the following program with the JWT secret generated for your add-on.
import io.jsonwebtoen.SignatureAlgorithm;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import java.io.UnsupportedEncodingException;
public static String generateJwt(String userToken) throws UnsupportedEncodingException
{
String secretKey = ""; //This value will be given once add-on is created. Then replace the provided value here
long notBeforeMillis = System.currentTimeMillis();
long notAfterMillis = notBeforeMillis + 300000;
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
byte[] apiKeySecretBytes = secretKey.getBytes();
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
JwtBuilder builder = Jwts.builder().signWith(signatureAlgorithm, signingKey);
String jwt = builder.claim("email_verified", true)
.claim("not_after", notAfterMillis)
.claim("not_before", notBeforeMillis)
.claim("email", <user_email_address_from_user_token>).compact();
return jwt;
}
Claims | Description |
Returns the email address of the user. | |
email_verified | A Boolean parameter that returns if the email address is verified or not and subsequently sends the OAuth token to the ASAP add-on. |
not_before & not_after | Defines the duration after which the JWT expires. The value of these claims must be in the Coordinated Universal Time (UTC) format and expressed in milliseconds. |
first_name | The first name of the user. |
last_name | The last name of the user. |
To ensure strong security, confirm that the time difference between the not_before & not_after parameters does not exceed 600000 milliseconds. (approximately ~ 10 minutes)
The JWT access token for the Web ASAP Help Widget will expire in one hour. Please ensure the JWT token in the provided code snippet is valid and up-to-date. It's important to note that after the token expires, it should only be generated and utilized on the server by the customer. Implementing the token on the client side may result in potential data leaks.
Code snippet to Authenticate users via the JWT mechanism on ASAP
The server generates the OAuth Token if the JWT token consists of logged-in user information and provides the generated OAuth token to a client. The client could then use that token to prove the authenticity of the 'logged in as a registered Zoho user'.
Web
The code to get Zoho's server to generate the JWT token.
window.ZohoHCAsapSettings={
userInfo :{
jwtToken : "generated-jwt-token"
}
}Android
MyApplication.deskInstance.loginWithJWTToken(String jwtToken, ZDPortalCallback.SetUserCallback callback)
iOS
This new login method will indicate that the passed token is a JWT token. Refer to this help documentation.
ZohoDeskPortalKit.login(withJWTToken: token, onCompletion: handler)React Native
This new login method will indicate that the passed token is a JWT token. Refer to this help documentation.
ZohoDeskPortalSDK.setJWTToken("JWT token",
(msg) => {
alert('Success Alert '+msg);
} , msg => {
alert('Failure Alert '+msg);
});User info script of ASAP JWT configuration should be done before loading the app's script
JWT Token Decoding
Points to Remember
1 The JWT token must be returned as a plain string.
2 The JWT token must contain the email, email_verified, not_before, and not_after claims.
3 A change in the app server time might affect the values set for the not_before and not_after params. Therefore, modify the JWT code when the app server time is changed, too.
4 Currently, only the HMACSHA256 algorithm is supported for signing in.
2 The JWT token must contain the email, email_verified, not_before, and not_after claims.
3 A change in the app server time might affect the values set for the not_before and not_after params. Therefore, modify the JWT code when the app server time is changed, too.
4 Currently, only the HMACSHA256 algorithm is supported for signing in.
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Implementing a secure user authentication for help center using JWT
This feature is released in a phased manner and will be available only to those who request for it. To request early access, click the registration link and provide your details. We will enable the feature for your Desk account. User authentication ...How to customize the ASAP SDK Help Widget UI?
The ASAP SDK allows you to customize the UI of the help widget as required. Predefined themes The SDK UI comes with two predefined themes: white and black. The following methods help you apply these themes. If you want to change the theme, first ...Working with the ASAP SDK for Flutter
The ASAP SDK provides easy-to-use code snippets that "effortlessly integrate Help Center Components" with your Flutter application, including the following: • Knowledge Base: Provide users with easy access to articles and FAQs, enabling them to find ...How to customize the ASAP SDK Help Widget UI?
The ASAP SDK allows you to customize the UI of the help widget as required. Predefined themes The SDK UI comes with two predefined themes: light and dark. Customized themes You can also override the default dark and light themes to make the SDK look ...Debugging JWT-Related Errors While Configuring the ASAP Add-On
While setting up an ASAP add-on for your web/mobile app, you might encounter an error related to JSON Web Token (JWT) configuration. It is essential to debug this error because user authentication in the ASAP add-on is possible only through JWTs. ...
New to Zoho LandingPage?
Zoho LandingPage Resources