Verify the JWT received by the secure endpoint
Hi,
Im building a zendesk app and have a question regrading the validation procedure for the JWT token received with signedUrls: true.
according to the documentation here:
i need the user name and password of a user in the instance in order to obtain the public key of the app and the installation id...
however, when published to the marketplace our app will be installed on different instances for which we obv don't have a user name or password..
can we expect the public key not to be changed or i'm missing something?
-
嗨伊!这是个好问题,似乎this is not something that we have clearly documented, so apologies for that.
When you're creating an installing an app, there are two IDs that exist: 1) the installation_id, which is specific to the version installed in each instance and 2) the app_id, which is the unique identifier for the app regardless of how many instances it is installed in. When you use the signed URLs functionality, you are using the app_id, which means that it will be the same in all instances that it is installed into. If you would like to test this, you can use thepreview appfunctionality, so that you can share it with another instance before you publish it to the marketplace.
Let us know if you have any other questions!
-
thanks for the answer greg. but in order to validate the jwt i need to get the public key of the app from this url:
curl https://{subdomain}.zendesk.com/api/v2/apps/{app_id}/public_key.pem
and this url is protected by user name and password which i dont have for this subdomain...
can i assume that the public key is shared across all instances as well? -
Yep, the public key will be the same for all instances! And when you need to request the installation_id further on, you can use theclient.metadata()object to get that information. Since the request is being made from their sidebar instance, it uses their credentials to return that data.
-
Thanks again for the fast response Greg. one more question on the installation_id.
i need the installation_id on the backend side not in the client side.
if i use the client.metadata() and send it to the server so it obviously won't be secured that the server relies on the installation id provided by the client itself..
how should i get in the backend without relying on the client?
Iniciar sesiónpara dejar un comentario.
4 Comentarios