Problem Statement


How does JWT SSO work in Freshdesk? What happens when I set up JWT SSO?



Resolution Path


Freshworks JWT SSO is a Service provider (SP) Initiated SSO, where the service provider is always Freshworks and the Identity Provider(IdP) is either a well known IdP like Azure, Okta, Onelogin etc or the customer’s own server with custom code acts as an IdP. The flow used is strictly as per OAuth RFC 6749.


Assume you have an IdP with domain example.com. Example.com should have an authorization endpoint, for illustration purpose lets call it
https://example.com/auth

This is the Authorization URL that you’ll have to enter in the Freshworks settings below:


You will also have to enter the RSA public Key of the JWT token that you are sending so Freshworks can verify the sent token using this public key.


What happens when I start the SSO process(can be for agents or customers, the below flow is same) . This can be identified by obtaining an HAR once set up.


A request from Freshworks is constructed and  sent to the authorization URL as below:

https://example.com/auth?response_type=id_token&client_id=302836020429100183&scope=openid%20email%20profile&state=Y2xhc2h1bml2ZXJzYWxhc3Npc3QuZnJlc2h3b3Jrcy5jb207QVR5MUhESndrY3p2c3pqRFN4WjErb21lZWFpT2tpWUxGeXVFbVNmWFFWTT07eGIyQ2U1QUdTREdoV1lRSQ%3D%3D&redirect_uri=https://clashuniversalassist.freshworks.com/sp/OIDC/302836020429100183/implicit&nonce=xb2Ce5AGSDGhWYQI



In the above request the bold and italicized parameters are added by Freshworks and sent to your IdP endpoint.


Step 1: From these parameters your endpoint is expected to extract the following parameters:

  1. State

  2. Nonce

  3. Redirect_uri



Step 2: Once your endpoint has extracted the above parameters you will have to write the login to construct the payload using the below given parameters:


Param Name

Value Type & Example

Required / Optional

Description

sub

String "Messi10"

Required

The ID of the agent in the external system

email

String "messi@awesomecompany.com"

Required

The email address of the user who is to be logged in

iat

Number 1545894207

Required

The value must be the number of seconds since the UNIX epoch. A maximum clock drift of 300 seconds is permitted.

nonce

String "23456781234"

Required

nonce passed by Freshworks as part of the login request to mitigate the replay attacks. It will be a random alpha-numeric string. The nonce is valid only for 10 mins from the time it is issued by FreshID.

given_name

String "Leo"

Required

First name or given name of the user

family_name

String "Messi"

Required

Last name or Family name of the user

phone_number

String "1010101010"

Optional

Phone number of the user

picture

String "https://bit.ly/Lionel_Messi.jpg"

Optional

Profile picture URL of the user.



A sample payload would be something that looks very similar to the below token:


{

    "sub": "1234567890",

    "email": "messi@awesomecompany.com",

     “iat”: 1545894207

    "nonce": "123422",

    “given_name”: “Sample”,

    “family_name”: “Lastname”

}






This can be converted to a token using libraries at your end, the final id token would be something as given below:


eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM




Step 3: Once you have constructed the payload, you have to add the state, generated token as a parameter to the redirect_uri (the one you had extracted in Step 1) as below:


https://clashuniversalassist.freshworks.com/sp/OIDC/302836020429100183/implicit?state=Y2xhc2h1bml2ZXJzYWxhc3Npc3QuZnJlc2h3b3Jrcy5jb207QVR5MUhESndrY3p2c3pqRFN4WjErb21lZWFpT2tpWUxGeXVFbVNmWFFWTT07eGIyQ2U1QUdTREdoV1lRSQ==&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1ZTgzOSIsImVtYWlsIjoiand0dGVzdEBmcmVzaHdvcmtzLmNvbSIsImlhdCI6MTYyMDE0NjczMiwibm9uY2UiOiJ4YjJDZTVBR1NER2hXWVFJIiwiZmFtaWx5X25hbWUiOiJUZXN0IiwiZ2l2ZW5fbmFtZSI6IkpXVCIsImNvbXBhbnkiOiJ0ZXN0Y29tcGFueTEyMyIsImdpdmVubmFtZSI6Ik15IEdpdmVuIE5hbWUgaXMiLCJzdXJuYW1lIjoiUHJhc2FkIn0.AfeMfiatXINWAO2CwYs93GonKqpy_oSD5mSsunuCsBbH0Pw9uZRZM-CC0utMupl057tQlFaJe3YLUFgs-X1mUr9AZ6Tktq1aiAtblDQp6LKpCKEF7eH9gquVtb9q8f2DV6StvNeOE4CCT

SgpWI8XtxZRM9P_r3CauXBoQSEeohg

In the above URL constructed from IdP end, the link in the initial part without highlighting is the redirect_uri(extracted in step 1), the red highlighted part is state(which is also extracted from step 1), the yellow highlighted part is the id_token constructed in step 2


If All the parameters such as state, nonce, id token are correct the user will be logged in.