This post is a part of the Identity Series.
OAuth Authorization Flows
- OAuth 2.0 Web Server Flow for Web App Integration
- OAuth 2.0 User-Agent Flow for Desktop or Mobile App Integration
- OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
- OAuth 2.0 Device Flow for IoT Integration
- OAuth 2.0 Asset Token Flow for Securing Connected Devices
- OAuth 2.0 Refresh Token Flow for Renewed Sessions
- OAuth 2.0 Username-Password Flow for Special Scenarios
- OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps
In this post I will be talking about the JWT Bearer Flow for requesting an OAuth 2.0 access token
**What is JWT used for ? **
- Propagate one’s identity between interested parties
- Propagate user entitlements between interested parties
- Transfer data securely between interested parties over a unsecured channel
- Assert one’s identity, given that the recipient of the JWT trusts the asserting party
JWT Bearer Token is a piece of information that you can present to some service that by virtue of you having it (you being the "bearer") grants you access to something.
JSON Web Token structure consist of three parts separated by dots (.), which are:
- Header
- Payload
- Signature
Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Prerequisites in this configuration
- Connected App
- Certificate
- Configuration
**Connected App Creation Process **
What is a connected App ?
Connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect.
Connected apps use these protocols to authenticate, authorize, and provide SSO for external apps
It is a framework used to
How is it used in this process ?
**Certificate and Private Key Creation Process **
What is a Certificate ?
What is a Private key ?
How is it used in this process ?
Create the certificate using Open SSl Commands
openssl req -newkey rsa:2048 -nodes -keyout PrivateKey.key -x509 -days 3650 -out certFile.crt
Then enter
- Country Name
- State or Province Name
- Locality Name
- Organization Name
- Organizational Unit Name
- Common Name
- Email Address
- Password
Then create a connected app with the crt certificate added in the digital certificate field and make sure you connected app oauth scope is same as the one in the screenshot
Then you can use this nodejs code with the generated private key and the consumer key of the connected app to test the JWT authorization process
app.js
var request = require('request');
var jwt = require('jsonwebtoken');
var key = require('fs').readFileSync('./privateKey.key', 'utf8');
var options = {
issuer: '3MVG9ahGHqp.k2_xJWFqMa_0.Sjm3JAVRwNf5ZeRrM5qel7a6ZXfBdQDYCJGD9FCP9rt15pSaFfvye8Umb7GN',
audience: 'https://login.salesforce.com',
expiresIn: 3,
algorithm: 'RS256'
}
var token = jwt.sign({ prn: '[Username]'}, key, options)
var post = {
uri: 'https://login.salesforce.com/services/oauth2/token',
form: {
'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion': token
},
method: 'post'
}
console.log('<<<<Start>>>>');
console.log(post);
console.log('<<<<Stop>>>>');
request(post, function(err, res, body) {
console.log(err);
console.log(res.statusCode);
console.log(body);
});
node app
And the response contains the access token to handle your DML operations
<?xml version="1.0" encoding="UTF-8"?>
<OAuth>
<scope>id api web visualforce chatter_api</scope>
<instance_url>https://na1.salesforce.com</instance_url>
<token_type>Bearer</token_type>
<access_token>00DB000000016kK!ARIAQPfbsILjfMO9jj2rMKnprMXwSmhLumEMpkjOaIacFNycKZQfUWmUsUblRuTil1b1Ro56_Fu7URzxa_vTH26JULV4Xlz7
</access_token>
</OAuth>
KeyTakeaways
- JWT can also be used with most trusted clients and meant only for the server to server communications
- With JWT you can pose as any user as there is no concept of password