Receive incoming webhooks from zendesk

Question

question

larissa asked Jul 5, '17

Receive incoming webhooks from zendesk

Hey there :)

We've been trying to set up push notifications in PlayFab that are triggered by updates on tickets in our zendesk account. Unfortunately Zendesk seems to only support basic authentication in their webhook feature and won't let us set a custom header with the secret key (X-SecretKey) or session ticket (X-Authentication). Is there any other option in PlayFab that would let us receive incoming webhooks with either basic or no authentication? Or is there any chance this will become possible in the process of the development of the planned zendesk add-on?

Push Notifications Authentication webhooks

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2017-07-06T07:16:44Z

brendan answered Jul 6, '17

Sorry, but allowing a completely insecure call to modify player data would be a pretty severe security problem, so it's not something we allow. Our planned Zendesk integration will provide for both player entered issues to generate tickets in your Zendesk account, as well as for query of active tickets for the player from your account.

4

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

larissa commented · Jul 06, 2017 at 09:34 AM

Maybe I'm misunderstanding you, but I don't see a security issue with what we want to do:

This is not about modifying player data, it's about receiving a notification (as in just a little ping with no actual sensitive data) on ticket changes so that we can subsequently query this tickets data from zendesk in a properly secured way (via a server cloudscript that sends a request to zendesks rest api) . We will then send a push notification to the user that the ticket belongs to. So the only thing that can be insecurely triggered is us checking a tickets status. It would be guaranteed that we only send a notification to the player whose ticket it is, not anyone else. A change of player data would not be required at all and ideally we'd still like to use the basic authentication that zendesk allows for.

So you are saying there is currently no way of receiving webhooks in any of the ways zendesk will let us (basic auth or no auth)?

And the zendesk integration will also work only via making frequent queries to zendesk rather than receiving a callback?

0 ·

brendan larissa commented · Jul 07, 2017 at 04:52 AM

The problem is that right now, what you're describing doesn't exist. So you would need to call a Cloud Script on behalf of the client or else write something to player data which is then checked by a periodic Scheduled Task - and allowing a non-secure call to do either of those is the risk I'm referring to.

When we have a complete Zendesk integration, it will include a callback path for Zendesk, exactly as we do for many of the other integrations in the service.

0 ·

larissa brendan commented · Jul 07, 2017 at 06:26 PM

Sorry, I think we've got a misunderstanding. Let me try to explain again.

Once we answer a ticket in Zendesk, we wanted to use the PlayFab Server API with our secret key to issue an HTTP request that would use the ExecuteCloudScript-function to write the support ticker answer to player data.

In order to able to do that we need to authenticate us. Unfortunately, Zendesk only allows us to use "Basic auth", and we're not able to change the header of the HTTP request. Hence, we can not write the secret key in the header as it is needed for PlayFab Server API Calls.

Now we wanted to ask if there's any hope that PlayFab might also accept basic auth. WIth basic auth, we would still send our secret key as the "password" field, and it would be just as secure - it's just a different HTTP request layout.

We thought that since a Zendesk add-on is planned, it might also be planned to support writing data from Zendesk to PlayFab when a ticker is answered.

0 ·

Show more comments

question