Checking why Zendesk server rejects a JWT token

Forum|Forum|4 years ago
November 4, 2021
3 replies
0 views

Paweł13

Hello,

I'm trying to integrate the Android Unified SDK with my mobile app and encountered a problem I cannot debug. I followed the documentation and set the JWT authentication in my initialization code (Zendesk.INSTANCE and Chat.INSTANCE). I also have a working dedicated JWT endpoint that returns valid JWT tokens (all 4 manatory fields present, valid signature, iat is a whole number). However, the Zendesk server does not accept the token and returns 401 Unauthorized to the SDK.

AFAIK the message flow looks like this:

                          POST                                              POST
        https://{domain}.zendesk.com/access/sdk/jwt                  {my-jwt-endpoint}
+------+  ------------------------------------->  +--------------+  ------------------>  +---------+
| SDK  |                                          |ZENDESK server|                       |my server|
+------+  <-------------------------------------  +--------------+  <------------------  +---------+
                    401 Unauthorized                               200 {"jwt": "<token>"}

I double-checked all conditions mentioned in https://developer.zendesk.com/documentation/classic-web-widget-sdks/support-sdk/working-with-the-support-sdk/building-a-dedicated-jwt-endpoint-for-the-support-sdk/ and I still don't know why the server returns 401. The server is basically a black box for me since I cannot view its logs. Any idea what I am doing wrong?

Additional info:

The token payload:

{
  "name": "Paweł Kunat",
  "email": "2000jvtuefoh3xaabigzhoeloee@customers.pawabank.com",
  "phone": "+441025222",
  "jti": "20Rzzg327I1DjtcVVTwPZGaIVCS",
  "iat": 1636022451
}

SDK logs (heavily truncated, couldn't find any other relevant entries):

11-04 11:50:35.982  1675  2036 I okhttp.OkHttpClient: --> POST https://pawaful.zendesk.com/api/v2/answer_bot/interaction (163-byte body)
11-04 11:50:35.989  1675  2036 I okhttp.OkHttpClient: --> POST https://pawaful.zendesk.com/access/sdk/jwt (313-byte body)
11-04 11:50:36.801  1675  2036 I okhttp.OkHttpClient: <-- 401 https://pawaful.zendesk.com/access/sdk/jwt (812ms, 37-byte body)
11-04 11:50:36.803  1675  2036 I okhttp.OkHttpClient: <-- 400 Response body was null, failed to auth user. https://pawaful.zendesk.com/api/v2/answer_bot/interaction (820ms, 2-byte body)

Init code:

Zendesk.INSTANCE.init(context, baseUrl, appId, oauthClientId);
Identity identity = new JwtIdentity(token);
Zendesk.INSTANCE.setIdentity(identity);
Support.INSTANCE.init(Zendesk.INSTANCE);
AnswerBot.INSTANCE.init(Zendesk.INSTANCE, Support.INSTANCE);
Chat.INSTANCE.init(context, chatAccountKey);
Chat.INSTANCE.setIdentity(jwtCompletion -> jwtCompletion.onTokenLoaded(token));

Versions:

messaging 5.2.0
support 5.0.3
answerbot 3.0.2
chat 3.3.0

minSdkVersion 16
targetSdkVersion 29

Subdomain: pawaful

I'm wrapping the SDK with React Native, but it works fine with anonymous identity. Only JWT causes problems.

Admin19
Forum|Forum|4 years ago
March 17, 2022

Same issue for me, it's quite blocking as we can't use feature that require authenticated users.
Did you managed to solve it ?

Sad to see that a company that sell support service doesn't have one that can provide answer...

Like

AD27
Forum|Forum|3 years ago
April 28, 2022

How did you generate iat and jti ?
Its not mention in the documentation.

Like

Admin19
Forum|Forum|3 years ago
April 28, 2022

Depends on how you build your JWT. We use the lib "jsonwebtoken" in nodejs.

iat is build base on "expireIn" option.
jti is build by the lib;

Since last time we had a reponse from Zendesk support and the issue was that we used the same email for our test customer than one the zendesk admin.
So if you use your pro email to login in your app and as zendesk admin it will prevent you from authenticate to zendesk services in app.

Like

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded