In Salesforce org integration, the importance of access tokens cannot be overstated. These tokens act as the key that grants access to your application to interact with Salesforce resources on behalf of users. While Salesforce offers a couple of options for access tokens, in this blog post, we’ll dive deep into the world of JSON Web Token (JWT)-based access tokens, exploring their advantages, structure, and how to enable them for your connected app.
Understanding JWT-Based Access Tokens
Salesforce provides two main types of access tokens: opaque tokens and JSON Web Token (JWT)-based access tokens. While opaque tokens are encoded strings that require a call to the Salesforce User Info endpoint to be decoded, JWT-based access tokens come in the form of a JSON object. This JSON object contains all the necessary information to authorize an application. This transparency allows for local token introspection, which can greatly enhance the efficiency and performance of your authorization processes.
Token Types Comparison
JWT-based access tokens have distinct functionalities and limitations when compared to opaque tokens. For instance, JWT-based tokens can exclusively be used to access REST APIs. To further understand the distinctions between these token types, Salesforce’s official documentation on “Access Tokens” can be referenced.
Token Format
JWT-based access tokens adhere to the structure of JSON Web Tokens, comprising three main components: header, payload, and signature. The header holds metadata about the token, including the algorithm used for token signing. Salesforce exclusively supports the RS256 algorithm for this purpose. The payload section consists of claims containing user, app, and token information. Lastly, the signature, derived from the header, payload, and a secret, ensures the token’s integrity.
Breaking Down the Header and Payload
The header of a JWT-based access token contains several claims:
- alg (algorithm): Denotes the algorithm used for signing the token (RS256 in Salesforce’s case).
- typ (type): Defines the token’s content type (JWT for JWT-based access tokens).
- kid (key ID): Identifies the key used for token signing.
- tty (token type): Specifies the token type (sfdc-core-token).
- tnk (tenant key): Represents the tenant key for the issuing Salesforce org.
- ver (version): Indicates the version of the JWT library.
Here’s an example header:
{
"<strong>tnk</strong>": "example/00XXXXXX",
"<strong>ver</strong>": "1.0",
"<strong>kid</strong>": "CORE_ATJWT************",
"<strong>tty</strong>": "sfdc-core-token",
"<strong>typ</strong>": "JWT",
"<strong>alg</strong>": "RS256"
}The payload, on the other hand, holds required claims such as:
- exp (expiration time): Specifies the token’s expiration time.
- iss (issuer): Indicates the URL of the site issuing the token.
- jti (JWT ID): Provides a unique identifier for the token.
- sub (subject): Identifies the token’s subject (user).
- scp (scopes): Lists the authorized scopes.
Optional payload claims encompass:
- aud (audience): Defines the intended audience of the token.
- client_id (consumer key): The consumer key of the connected app.
- nbf (not before time): Token can’t be accepted before this time.
- iat (issued at): Specifies the token’s issuance time.
- rls (roles): Describes factors affecting access.
- obo (on behalf of): Authorizes actions on behalf of a user.
Here’s an example payload:
{
"<strong>scp</strong>": "api",
"<strong>aud</strong>": ["https://example.com"],
"<strong>sub</strong>": "uid:005x00000000001",
"<strong>nbf</strong>": "1675197036",
"<strong>iss</strong>": "https://example.com",
"<strong>exp</strong>": "1675198836",
"<strong>iat</strong>": "1675197036",
"<strong>jti</strong>": "xRb**********",
"<strong>obo</strong>": "uvid:abcd-1234-efgh",
"<strong>client_id</strong>": "***********"
}Enabling JWT-Based Access Tokens
Now that we’ve explored the intricacies of JWT-based access tokens, let’s delve into enabling them for your connected app.
Required Permissions
Before proceeding, ensure you have the necessary permissions to create, read, update, or delete connected apps. You’ll need “Customize Application” and either “Modify All Data” or “Manage Connected Apps” permissions.
Steps to Enable JWT-Based Access Tokens
- Navigate to Setup and search for “App Manager.”
- Locate your app and click “Edit.”
- Under “API (Enable OAuth Settings),” select “Issue JSON Web Token (JWT)-based access tokens for named users.”
- Save your settings.
If you’ve installed the app, subscribers need to enable JWT-based access tokens explicitly. This can be done by enabling the “Issue JSON Web Token (JWT)-based access tokens” policy in the connected app’s policies.
- Access your connected app policies from Setup.
- Click “Edit Policies.”
- Select “Issue JSON Web Token (JWT)-based access tokens.”
- Configure the Token Timeout option.
- Save your changes.
It’s important to note that JWT-based access tokens can’t be individually revoked for a specific connected app or user, but they can be revoked collectively if necessary.
Revoking JSON Web Token (JWT)-Based Access Tokens
As you delve deeper into harnessing the capabilities of JSON Web Token (JWT)-based access tokens within Salesforce, it’s essential to understand how to effectively manage these tokens, especially when the need arises to revoke them. Revoke, in this context, implies invalidating the signing keys of these tokens, effectively terminating all associated user sessions. This process ensures security and control over the access granted through these tokens. Let’s explore the intricacies of revoking JWT-based access tokens and the necessary steps to accomplish this.
Revoke for Enhanced Control
Revoking JWT-based access tokens becomes necessary in scenarios where you need to swiftly terminate a user’s access to Salesforce resources. Whether it’s due to security concerns or changes in user privileges, the ability to revoke these tokens provides you with enhanced control over your Salesforce ecosystem.
Required Editions and User Permissions
This revocation functionality is available in both Salesforce Classic and Lightning Experience.
To successfully manage and revoke these tokens, certain user permissions are required. These permissions ensure the proper customization and management of your connected apps:
- To manage connected apps (read, create, update, delete), you need “Customize Application” permission along with either “Modify All Data” or “Manage Connected Apps” permission.
- For more specific access, such as updating Profiles, Permission Sets, and Service Provider SAML Attributes, you need “Customize Application,” “Modify All Data,” and “Manage Profiles and Permission Sets” permissions.
- For consumer key and secret rotation, the “Allow consumer key and secret rotation” permission is needed.
- To install and uninstall connected apps, “Customize Application” and either “Modify All Data” or “Manage Connected Apps” permissions are required.
- Additionally, for installing and uninstalling packaged connected apps, “Customize Application,” “Modify All Data,” “Manage Connected Apps,” and “Download AppExchange Packages” permissions are necessary.
The Revocation Process
Revolving JWT-based access tokens involve a few straightforward steps:
- From the Setup menu, navigate to the Quick Find box and search for “OAuth,” then select “OAuth and OpenID Connect Settings.”
- Within the OAuth and OpenID Connect Settings, locate the “Revoke Tokens” option.
- Upon initiating the revocation process, you’ll encounter a warning message. If you decide to proceed, click “Revoke” once again to confirm.
It’s important to note that when revoking JWT-based access tokens, refresh tokens associated with them are not automatically revoked.
The ability to revoke JSON Web Token (JWT)-based access tokens provides you with an essential tool to maintain security, control, and compliance within your Salesforce ecosystem. Whether it’s a change in user access or a security concern, the straightforward revocation process ensures that access is promptly terminated and sensitive resources are safeguarded. By understanding the required permissions and following the steps outlined above, you can confidently manage and control token access within your Salesforce instance, contributing to a secure and well-managed environment.
Embracing Efficient Integration
JSON Web Token (JWT)-based access tokens offer a transparent and efficient way to authenticate your connected app’s interactions with Salesforce resources. Their structured format, encompassing headers, payloads, and signatures, ensures secure communication while providing valuable user, app, and token information. By enabling JWT-based access tokens, you pave the way for seamless integration and improved performance within your Salesforce ecosystem. So, embrace the power of JWT-based access tokens and unlock a new level of integration capabilities.
About the blog
SFDCLessons is a blog where you can find various Salesforce tutorials and tips that we have written to help beginners and experienced developers alike. we also share my experience and knowledge on Salesforce best practices, troubleshooting, and optimization. Don’t forget to follow us on:
Newsletter
Subscribe to our email newsletter to be notified when a new post is published.
- A Practical Guide to Salesforce-to-QuickBooks Sync Problems
Many organizations still use disconnected systems despite the growth in business software, leading to inefficiencies in data sharing. A well-executed integration between Salesforce and QuickBooks can resolve these issues. This guide outlines common integration challenges, potential solutions, and tips for achieving efficient synchronization between the two platforms. - From Zero to 100: How AgentExchange Became Salesforce’s Fastest-Growing App Publisher
AgentExchange has published 100 apps in six months, achieving significant growth with 122 unique apps and 102 developers. The platform’s rapid expansion demonstrates the increasing demand for Salesforce-native solutions, particularly in sales and analytics. By offering reusable AI building blocks, AgentExchange enhances productivity and innovation within the Salesforce ecosystem. - Shopify + Salesforce: How to Build a Seamless Ecommerce Engine
Integrating Shopify with Salesforce streamlines e-commerce operations by eliminating data silos. The integration synchronizes orders and customer information for accurate reporting and smarter marketing. This synergy improves operational efficiency, enhances customer support, and ensures reliable growth. Proper planning and phased implementation are vital for success and maintaining data integrity as businesses scale. - Linking Google Sheets to Salesforce: Full Guide
Integrating Google Sheets with Salesforce using G-Connector simplifies data management by enabling two-way data synchronization. This allows users to automate reporting, reduce manual data entry errors, and improve collaboration. Teams can easily update records, share live data, and leverage Google Sheets’ tools for insightful analysis, enhancing productivity and efficiency. - Custom Email Tracking and Logging in Salesforce
In Salesforce, tracking email engagement is vital for enhancing customer service and sales strategies. Although built-in features exist, they fall short in tracking link clicks and emails from Cases. This article outlines a custom solution using Apex and Flow to effectively monitor email opens and clicks, improving overall communication efficacy.
