Implementing a secure user authentication for help center using JWT

Implementing a secure user authentication for help center using JWT


User authentication and data exchange play a crucial role in today's interconnected digital world. The increasing reliance on online services, cloud computing, and the exchange of sensitive information necessitates robust mechanisms to verify the identity of users and secure the communication channels.

User authentication is the process of verifying the identity of an individual or system that is attempting to access a resource or a service. This ensures that only authorized users can access specific information or perform certain actions. Data exchange involves the secure transfer of information between two entities, ensuring confidentiality and integrity.


User authentication and data exchange are critical in various domains, including:

 

  • Online Services: Websites, email, social media, and e-commerce platforms
  • Financial Transactions: Banking, online payments, and cryptocurrency
  • Corporate Networks: Access to sensitive business information and resources
  • Healthcare: Patient data and medical records
  • Government Services: Secure access to citizen information and official records

 

It's vitally important to protect sensitive data, prevent unauthorized access, and ensure the privacy of individuals.

Different types of authentications 

There are several types of authentication methods available on the market, including:

 

  • Password-Based Authentication: Relies on something the user knows.
  • Biometric Authentication: Uses unique physical or behavioral traits (fingerprint, facial recognition).
  • Token-Based Authentication: Involves the use of physical or virtual tokens.
  • Multi-Factor Authentication (MFA): Combines two or more authentication factors for added security.

Where does JWT fall into these different authentications?

JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. JWT falls under token-based authentication, where a digitally signed token is generated and shared between the server and the client. It is often used for authentication and authorization purposes in web development. It is particularly useful in stateless authentication scenarios, where servers do not store session information and users can be authenticated based on the information encapsulated within the token. 

 

In general, JWT acts as a compact piece of information that enables websites and services to identify and trust users without the need for constant username and password requests.

Why use JSON Web Tokens?

Here are some scenarios where JWTs are useful:

 

  • Authorization: JWT is commonly used for user authorization. After a user logs in, subsequent requests include the JWT, granting access to allowed routes, services, and resources. It's particularly useful for Single Sign-On across different domains due to its efficiency and low overhead.
  • Information Security: JWTs serve as a secure means to exchange information between parties. By utilizing signatures, such as with public/private key pairs, you can ensure the authenticity of the senders. The computed signature using the header and payload also allows verification that the content hasn't been tampered.

JWT authentication for Desk help center 

In Zoho Desk, customers are classified as guests and authenticated users based on whether they want to log in to the help center or not.

 

  • Guest Users - Users who don't log in to the help center are called guests. They can read the knowledge base articles, submit a ticket, and view posts in the community. However, they cannot perform actions, such as following a topic, adding an issue, tracking a submitted ticket status, and commenting on existing posts.
  • Authenticated Users - Users who log in to the help center are called authenticated users. The authentication process for these users involves self-signup (creating an account in Zoho Desk Help Center), SAML or JWT authentication mechanism. Authenticated users can:
    • Access the knowledge base tab and view help articles
    • Submit and view the tickets that they have submitted
    • View the tickets of other users in their account
    • Post in the community including following and adding a topic
    • Add a comment to existing posts

Availability

Permission Required
Users with the Help Center (Support Channels) permission under Administrative Permissions can access this feature.
Check Feature Availability and Limits

JWT user authentication mechanism in help center

When a user logs in to the Help Center, the authentication process follows a secure sequence. 

  • Upon clicking the Sign In button in the Desk Help Center, the request is redirected to the Identity Provider (IdP) URL, which is typically a JWT issuer or a client-end database server. 
  • After validating the accuracy of the provided credentials, the JWT issuer generates a JSON Web Token (JWT). 
  • This JWT is then added to the Sign In URL, along with the return URL indicating where the user should be redirected after completing the login process. 
  • The JWT is encrypted and sent back to the Help Center, which forwards it to the Zoho IAM server. 
  • The IAM server decrypts the JWT token, authenticates the user using a JWT secret key, and verifies the credentials. 
  • Upon successful validation, the user is logged into the Help Center, adhering to the designated return URL.

Structure of JWT 


Claims
Consists
Header
Metadata about token (JWT type and signing algorithm)
Payload

Claims such as:

  • email
  • nbf (not before) - time before which the token should not be considered valid
  • exp (expiration time) - expiration time of the token
  • jti (JWT ID) - Used to uniquely identify the token. It ensures that a token is not reused for a particular user before its initial call has expired. The expiration time for the jti claim is set to be equal to the "exp" parameter.
Signature

Verifies the integrity of the token. Created by taking the encoded header, the encoded payload, and the JWT secret key and hashed using the HS256 algorithm.


Signature = base64 ( HS256 ( jwtHeader + "." + jwtPayload, private_Key ) )


Finally, Header, Payload and Signature values are appended as a JWT token.

 

JWT_Token = ( Header + "." + Payload + "." + Signature )




Sample JWT Script

import time
import jwt
from hashlib import sha256
 
def generate_jwt(payload, secret_key):
  """Generates a JWT using HS256.
  Args:
    payload: The JWT payload.
    secret_key: The secret key to use for signing.
  Returns:
    A string containing the JWT.
  """
  header = {
    "typ": "JWT",
    "alg": "HS256"
  }
  encoded_jwt = jwt.encode(payload, secret_key, algorithm="HS256")
  return encoded_jwt
 
# Example usage:
payload = {
        "jti" : sha256(str(time.time_ns()).encode('utf-8')).hexdigest(),
        "exp" : str(time.time_ns() + 300000),
        "nbf" : str(time.time_ns()),
        "email" : "demo@zylker.com"
}
 
secret_key = "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
 
jwtToken = generate_jwt(payload, secret_key)
print(jwtToken)

Configuring JWT authentication in Desk 

In Zoho Desk, admins can configure the JWT-based authentication mechanism for their help center. Configuration of JWT authentication mechanism involves the setup of various parameters such as remote login and logout url to ensure a seamless and secure authentication process. The key fields used in JWT configuration are Remote Login URL, Remote Logout URL, JWT Secret Key, and Signin End Point URL. 

 

  • Remote Login URL: This is important in the authentication process. It serves as the URL to which Desk Help Center redirects users for authentication. When users attempt to log in, they are redirected to this specified URL, where the authentication process takes place.

  • Remote Logout URL: This is the endpoint to which Desk Help Center directs users after they sign out. It plays a crucial role in managing user sessions and ensuring a secure logout process. Users are redirected to this URL to complete the logout procedure.

  • JWT Secret Key: This is a confidential key used to sign the JWT token. This key is employed in the creation of a secure token that verifies the authenticity of the information being exchanged between the help center and the authentication server. It ensures that the JWT token has not been tampered with during transmission.

  • Signin End Point URL: This is the endpoint where the JWT token is appended once it is created. After the JWT token is generated, it needs to be attached to the Signin End Point URL. During the authentication process, when the IdP server receives a callback from the Desk service, the 'serviceurl' parameter is passed as a query parameter. It is crucial to ensure that the same 'serviceurl' is sent in the 'return_to' URL during the redirection of the user. Once the authentication is successfully completed, the user is redirected based on the 'return_to' parameter. This ensures a seamless and secure return of the user to the appropriate service after authentication. 

 

Notes

  • The JWT secret key and Signin End Point URL is automatically generated upon entering the remote login and logout URLs.
  • A new JWT secret key will be generated whenever the authentication configuration is deleted.
  • The 'return_to' parameter has to set up by the user from the client side.To set up return to parameter follow the below steps:
    • The 'serviceurl' parameter is included in the user's login URL sent from the Desk side to the user's JWT IdP server. For instance, if the login URL is "http://Zylkerinc," the client-side user will receive a request like this:
      [http://Zylkerinc/?serviceurl=https://zylker.helpcenter.zohodesk.com%2Fportal%2Fhome."]


    • In the JWT (IdP) server, extract the 'serviceurl' from the received request and incorporate this 'serviceurl' into the 'return_to' parameter. For example, if the sign-in endpoint URL is [https://accounts.zohoportal.com/accounts/p/1034/signin/jwt/auth]

      the final URL, after appending the JWT token and 'return_to' parameter, will look like this:
      [https://accounts.zohoportal.com/accounts/p/1034/signin/jwt/auth?return_to=https://zylker.helpcenter.zohodesk.com/portal/en/home&jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjYTJhMWMxNmM5Yjc2ZjQ.]


To configure JWT authentication for the help center


  1. In Zoho Desk portal, navigate to Setup (  ) > Channels > Help Center.
  2. Select the desired help center.
  3. Click User Authentication from the left pane.
  4. Navigate to JWT tab.
  5. Enter the Remote Login and Remote Logout URL.
  6. Upon entering the URLs, the JWT secret key and Sign-in End Point URL will be generated.


  7. Click Save.

Deleting JWT authentication   

Admins can delete the JWT authentication from the help center if needed. Following deletion, end-users are required to establish a self-sign-up to access and log in to the Help Center. It is important to consider the following implications when deleting JWT for single sign-on:

 

  • End-users who had a password on your Help Center account before enabling JWT single sign-on can use that to log in.
  • End-users who signed up for your Help Center after enabling JWT single sign-on will need to reset their password when they log in the next time. 

 

To delete JWT authentication for a help center


  1. Navigate to Setup (  ) > Channels > Help Center.
  2. Select the desired help center.
  3. Click User Authentication from the left pane.
  4. On the JWT page, click Delete in the bottom-right corner.
  5. Click Continue to confirm.