Update examples for GET /access/jwt deprecation (#34)

* Update examples to include JWT generation only

All the examples previously used redirects which would trigger a GET
/access/jwt request with the JWT in the url string. To enhance security,
we are deprecating the GET /jwt endpoint in favor of POST /access/jwt
with the JWT in the body of the request which must be initiated from
the browser to ensure that cookies are set properly and that redirects
work correctly.

* Add JWT hidden form submission examples

The JWT must be submitted via a form submission as other POST requests
such as those generated by AJAX, axios, or fetch will be blocked by
CORS.

Author: danjrobertson

README.md

@@ -2,6 +2,10 @@
 
 The files in this repository are examples and not guaranteed to run or be correct. They should explain you how you can make Zendesk SSO work with JWT from your stack. Pull requests much appreciated.
 
+The `jwt_generation` folder contains examples on how to generate JWTs. You can generate JWTs on your server and return it to your client. You may also want to return the Zendesk JWT URL with your subdomain to prevent hardcoding it in your client code.
+
+The `form_submission` folder contains examples of how to trigger the POST request with the JWT in the body of the request. This must be done via form submission as other methods of creating POST requests such as axios or fetch will be blocked by CORS.
+
 ## Documentation
 
 Further documentation on JWT based Zendesk SSO is available [in our knowledge base](https://support.zendesk.com/hc/en-us/articles/4408845838874-Enabling-JWT-single-sign-on)

c_sharp_handler.cs

@@ -0,0 +1,22 @@
+<html>
+  <script>
+    function handleLogin(event) {
+      event.preventDefault();
+      // handle authenticating the user in your system and return the generated JWT
+
+      // (Assuming AJAX successfully returns a JWT)
+      // On Success - Add the JWT to a hidden form and submit
+      document.getElementById('jwtInput').value = response.data.jwt; // Extract the JWT from the response
+      document.forms['jwtForm'].submit();
+    }
+  </script>
+  ...
+  <div>
+    <form id="yourLoginForm" onsubmit="handleLogin()">
+      ...
+    </form>
+    <form id="jwtForm" method="post" action="https://{YOUR_ZENDESK_SUBDOMAIN}.zendesk.com/access/jwt">
+      <input id="jwtInput" type="hidden" name="jwt" />
+    </form>
+  </div>
+</html>

classic_asp_jwt.asp

@@ -0,0 +1,24 @@
+// make the request to your login service
+function handleLogin() {
+  const xhr = jQuery.post("/internal/login", $("#yourLoginForm").serialize());
+
+  xhr.success(function(data) {
+    // On successful login - add JWT to a hidden form and submit
+    // Return the JWT generated from your sever and the Zendesk 
+    // JWT URL, usually in the format of 
+    // https://{your_subdomain}.zendesk.com/access/jwt 
+    var form = $('<form />').attr("method", "POST").
+      attr("action", data['url'] + window.location.search);
+
+    $('<input />').attr("type", "hidden").
+      attr("name", "jwt").
+      attr("value", data['jwt']).
+      appendTo(form);
+
+    form.appendTo('body');
+    form.submit();
+  }).fail(function() {
+    // Handle login failures
+    alert("Authentication failed");
+  });
+}

classic_asp_jwt_with_ad.asp

@@ -0,0 +1,35 @@
+class JwtController < ApplicationController
+  ...
+  ZENDESK_SUBDOMAIN = ENV['ZENDESK_SUBDOMAIN']
+  # Zendesk will pass various params when redirecting you to your remote login URL
+  JWT_PARAMS = %i[return_to brand_id locale_id timestamp].freeze
+  ...
+
+  def create
+    if (user = User.authenticate(params[:login], params[:password]))
+      # Use your implemented JWT generation code. See ../jwt_generation/ruby_on_rails_jwt.rb for an example
+      @jwt = generate_jwt(user.name, user.email)
+      # handle any JWT generation errors
+
+      jwt_params = params.slice(*JWT_PARAMS).permit(*JWT_PARAMS)
+      # Ensure parameters that Zendesk passed to your remote login page are preserved
+      @url = "https://#{ZENDESK_SUBDOMAIN}.zendesk.com/access/jwt?#{jwt_params.to_query}"
+
+      render :create
+    else
+      render :new, notice: 'Invalid credentials'
+    end
+  end
+  ...
+end
+
+# jwt/create.html.erb
+<%= javascript_tag do %>
+  window.onload = function(){
+    document.forms['jwt_form'].submit();
+  }
+<% end %>
+
+<%= form_with url: @url, html: { id: 'jwt_form' } do |f| %>
+    <%= f.hidden_field :jwt, value: @jwt %>
+<% end %>

form_submission/javascript_jwt.html

@@ -0,0 +1,38 @@
+import { useRef } from 'react'
+
+const YOUR_ZENDESK_SUBDOMAIN = 'subdomain'
+
+function App() {
+  const formRef = useRef(null);
+  const inputRef = useRef(null);
+
+  const handleClick = async () => {
+    const response = await handleYourLogin()
+    // on successful user authentication, pass the JWT in the response
+    // extract the JWT from the response data
+    const jwt = response.data.jwt
+
+    // add the JWT to a hidden form on your login page
+    inputRef.current.value = jwt
+
+    formRef.current.submit()
+  }
+
+  return (
+    <div>
+      <YourLoginForm>
+        ...
+        <button
+          onClick={handleClick}
+        >
+          Log in
+        </button>
+      </YourLoginForm>
+      <form ref={formRef} action={`https://${YOUR_ZENDESK_SUBDOMAIN}.zendesk.com/access/jwt`} method="post">
+        <input ref={inputRef} type="hidden" name="jwt"></input>
+      </form>
+    </div>
+  );
+}
+
+export default App;