larissa avatar image
larissa asked

Receive incoming webhooks from zendesk

Hey there :)

We've been trying to set up push notifications in PlayFab that are triggered by updates on tickets in our zendesk account. Unfortunately Zendesk seems to only support basic authentication in their webhook feature and won't let us set a custom header with the secret key (X-SecretKey) or session ticket (X-Authentication). Is there any other option in PlayFab that would let us receive incoming webhooks with either basic or no authentication? Or is there any chance this will become possible in the process of the development of the planned zendesk add-on?

AuthenticationPush Notificationswebhooks
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

Sorry, but allowing a completely insecure call to modify player data would be a pretty severe security problem, so it's not something we allow. Our planned Zendesk integration will provide for both player entered issues to generate tickets in your Zendesk account, as well as for query of active tickets for the player from your account.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

larissa avatar image larissa commented ·

Maybe I'm misunderstanding you, but I don't see a security issue with what we want to do:

This is not about modifying player data, it's about receiving a notification (as in just a little ping with no actual sensitive data) on ticket changes so that we can subsequently query this tickets data from zendesk in a properly secured way (via a server cloudscript that sends a request to zendesks rest api) . We will then send a push notification to the user that the ticket belongs to. So the only thing that can be insecurely triggered is us checking a tickets status. It would be guaranteed that we only send a notification to the player whose ticket it is, not anyone else. A change of player data would not be required at all and ideally we'd still like to use the basic authentication that zendesk allows for.

So you are saying there is currently no way of receiving webhooks in any of the ways zendesk will let us (basic auth or no auth)?

And the zendesk integration will also work only via making frequent queries to zendesk rather than receiving a callback?

0 Likes 0 ·
brendan avatar image brendan larissa commented ·

The problem is that right now, what you're describing doesn't exist. So you would need to call a Cloud Script on behalf of the client or else write something to player data which is then checked by a periodic Scheduled Task - and allowing a non-secure call to do either of those is the risk I'm referring to.

When we have a complete Zendesk integration, it will include a callback path for Zendesk, exactly as we do for many of the other integrations in the service.

0 Likes 0 ·
larissa avatar image larissa brendan commented ·

Sorry, I think we've got a misunderstanding. Let me try to explain again.

Once we answer a ticket in Zendesk, we wanted to use the PlayFab Server API with our secret key to issue an HTTP request that would use the ExecuteCloudScript-function to write the support ticker answer to player data.

In order to able to do that we need to authenticate us. Unfortunately, Zendesk only allows us to use "Basic auth", and we're not able to change the header of the HTTP request. Hence, we can not write the secret key in the header as it is needed for PlayFab Server API Calls.

Now we wanted to ask if there's any hope that PlayFab might also accept basic auth. WIth basic auth, we would still send our secret key as the "password" field, and it would be just as secure - it's just a different HTTP request layout.

We thought that since a Zendesk add-on is planned, it might also be planned to support writing data from Zendesk to PlayFab when a ticker is answered.

0 Likes 0 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.