How to securely store the salesfoce barer token in zendesk | Community
Skip to main content

How to securely store the salesfoce barer token in zendesk

  • October 6, 2021
  • 3 replies
  • 0 views
A

Hello good afternoon to everyone.

A customer asked to do a salesforce integration for zendesk.

My question is, once I get the barer token from salesforce, how can I store it safely. I can't use localstorage.

The oauth2 client method that zendesk offers only allows me to put the static values ​​in the manifest. but I need the clientid and client secret to be dynamic so that when each user that installs the app can log in through Oauth2.

    3 replies

    Eric27
    • Eric27
    • October 12, 2021

    Hey Javier,

    When configuring oauth the client id and client secret are global for the entire account / service. So for your customer they will only need one client id and client secret for all of their users. Can you explain to me why each user would need to have entirely separate oauth clients? As for the bearer token, you could use a hidden parameter to store the bearer token. Then interact / update it via the metadata api method.

    Hope this helps,

    Have a wonderful day!

    Eric Nelson | Manager - Developer Advocacy

    A

    Hi Eric! thanks for the reply.

    The application connects Zendesk tickets with information in salesforce. Each user who downloads it from the market should enter their own Salesforce credentials to authenticate the app.

    Zendesk allows you to manage the oauth2 in the manifest with the following:

    "oauth": {
        "scope": "restlets",
        "access_token_uri": "acces_token_uri/auth/oauth2/v1/token",
        "client_id": "client_id",
        "client_secret": "client_secret",
        "authorize_uri": "authorize_uri/app/login/oauth2/authorize.nl",
        "response_type": "code"
      }
     
    I need to make the salesforce credentials dynamic ( clientid and clientsecret).
    The option that you mention (hidden parameters), cannot be used because it is sensible information (token) from the client side. 
     
     
    Eric27
    • Eric27
    • October 12, 2021

    Hey Cossio,

    Thanks for the clarification! Though I'm not sure what you mean by sensible information. The bearer token returned from Salesforce should be hidden as it is only needed for authentication / requests and not for general use by the end user. 

    Due to that I'd suggest building your oauth configuration and flow into your application itself and use standard text parameters to have the users fill out the necessary criteria. 

    For example in your manifest file:

        "parameters" : [

          {

            "name": "client_id",

            "type": "text",

            "secure": false,

            "required": true

          },

          {

            "name": "client_secret",

            "type": "text",

            "secure":false,

            "required": true

          }

        ],

    Then utilize those parameters in your application itself to initiate and handle the oauth flow. 

    Terms & ConditionsCookie settingsAccessibility statement