I would like to redirect a logged in user(from our application) to the Freshdesk customer portal as a contact to view his tickets or submit a new ticket.
From the client side, the end-user would only need to click the “my tickets” button in the application and would be redirected to the customer portal through web view. The sign-in process to the customer portal will be handled in the backend so that they do not have to manually sign in to the customer portal.
I have looked through an article about the implementation of SSO with JWT. The article does almost fit in all our cases, except on one part, the login flow. In our case, the user will not be asked to enter the login information again, in the third step of the article guide, after the user is redirected to the authorisation url. And we would immediately create the JWT once we have got the “state” and “nonce” from the redirected url query parameters.
However, it will come to a problem, we are not able to pass in the customer information(email) from the client side to the authorisation part. Because the initial request we made(https://awesomecompany.com/dashboard/login) will be later redirected to the authorisation url.(https://awesomecompany.com/sso/jwt/login). This approach works until we want to put in the specific customer info in the authorisation part (signing of JWT). I have tried to hardcode the customer information, and it worked out perfectly.
We also have tried another approach, by separating them into two steps.
First, we retrieve the “state”, “nonce” from the first request, and pass back to the client side.
final session = await retrieveSession(); final nonce = session['nonce']; final state = session['state'];
Second step, once we have got the session data, we can sign them and get a JWT token, and redirect the user to the customer dashboard with the signed token.
final token = await getSignature(nonce, user, privateUser); return _api.api.baseUrl + APIPath.ticketingRedirect(state, token);
Constraint validation failed with reason: invalid state param or nonce param sent by idp
However, it seems like the nonce is expired and it is not valid anymore. Because we made two different http requests, one is to get the session data, and another is open the dashboard. I believe Freshworks did some session validation on that to mitigate the replay attacks as mentioned in the documentation.
I do some reading on the authorisation request. I tried several ways to pass some custom parameters from client side to authorisation url but they do not seem to work. Let me narrow down the problem to this.
Hopefully can get some insights from the community:)