Blog

Understanding JWT-Based Access Tokens in Salesforce

In Salesforce org integration, the importance of access tokens cannot be overstated. These tokens act as the key that grants access to your application to interact with Salesforce resources on behalf of users. While Salesforce offers a couple of options for access tokens, in this blog post, we’ll dive deep into the world of JSON Web Token (JWT)-based access tokens, exploring their advantages, structure, and how to enable them for your connected app.

Understanding JWT-Based Access Tokens

Salesforce provides two main types of access tokens: opaque tokens and JSON Web Token (JWT)-based access tokens. While opaque tokens are encoded strings that require a call to the Salesforce User Info endpoint to be decoded, JWT-based access tokens come in the form of a JSON object. This JSON object contains all the necessary information to authorize an application. This transparency allows for local token introspection, which can greatly enhance the efficiency and performance of your authorization processes.

Token Types Comparison

JWT-based access tokens have distinct functionalities and limitations when compared to opaque tokens. For instance, JWT-based tokens can exclusively be used to access REST APIs. To further understand the distinctions between these token types, Salesforce’s official documentation on “Access Tokens” can be referenced.

Token Format

JWT-based access tokens adhere to the structure of JSON Web Tokens, comprising three main components: header, payload, and signature. The header holds metadata about the token, including the algorithm used for token signing. Salesforce exclusively supports the RS256 algorithm for this purpose. The payload section consists of claims containing user, app, and token information. Lastly, the signature, derived from the header, payload, and a secret, ensures the token’s integrity.

Breaking Down the Header and Payload

The header of a JWT-based access token contains several claims:

  • alg (algorithm): Denotes the algorithm used for signing the token (RS256 in Salesforce’s case).
  • typ (type): Defines the token’s content type (JWT for JWT-based access tokens).
  • kid (key ID): Identifies the key used for token signing.
  • tty (token type): Specifies the token type (sfdc-core-token).
  • tnk (tenant key): Represents the tenant key for the issuing Salesforce org.
  • ver (version): Indicates the version of the JWT library.

Here’s an example header:

{
  "<strong>tnk</strong>": "example/00XXXXXX",
  "<strong>ver</strong>": "1.0",
  "<strong>kid</strong>": "CORE_ATJWT************",
  "<strong>tty</strong>": "sfdc-core-token",
  "<strong>typ</strong>": "JWT",
  "<strong>alg</strong>": "RS256"
}

The payload, on the other hand, holds required claims such as:

  • exp (expiration time): Specifies the token’s expiration time.
  • iss (issuer): Indicates the URL of the site issuing the token.
  • jti (JWT ID): Provides a unique identifier for the token.
  • sub (subject): Identifies the token’s subject (user).
  • scp (scopes): Lists the authorized scopes.

Optional payload claims encompass:

  • aud (audience): Defines the intended audience of the token.
  • client_id (consumer key): The consumer key of the connected app.
  • nbf (not before time): Token can’t be accepted before this time.
  • iat (issued at): Specifies the token’s issuance time.
  • rls (roles): Describes factors affecting access.
  • obo (on behalf of): Authorizes actions on behalf of a user.

Here’s an example payload:

{
  "<strong>scp</strong>": "api",
  "<strong>aud</strong>": ["https://example.com"],
  "<strong>sub</strong>": "uid:005x00000000001",
  "<strong>nbf</strong>": "1675197036",
  "<strong>iss</strong>": "https://example.com",
  "<strong>exp</strong>": "1675198836",
  "<strong>iat</strong>": "1675197036",
  "<strong>jti</strong>": "xRb**********",
  "<strong>obo</strong>": "uvid:abcd-1234-efgh",
  "<strong>client_id</strong>": "***********"
}

Enabling JWT-Based Access Tokens

Now that we’ve explored the intricacies of JWT-based access tokens, let’s delve into enabling them for your connected app.

Required Permissions

Before proceeding, ensure you have the necessary permissions to create, read, update, or delete connected apps. You’ll need “Customize Application” and either “Modify All Data” or “Manage Connected Apps” permissions.

Steps to Enable JWT-Based Access Tokens

  1. Navigate to Setup and search for “App Manager.”
  2. Locate your app and click “Edit.”
  3. Under “API (Enable OAuth Settings),” select “Issue JSON Web Token (JWT)-based access tokens for named users.”
  4. Save your settings.

If you’ve installed the app, subscribers need to enable JWT-based access tokens explicitly. This can be done by enabling the “Issue JSON Web Token (JWT)-based access tokens” policy in the connected app’s policies.

  1. Access your connected app policies from Setup.
  2. Click “Edit Policies.”
  3. Select “Issue JSON Web Token (JWT)-based access tokens.”
  4. Configure the Token Timeout option.
  5. Save your changes.

It’s important to note that JWT-based access tokens can’t be individually revoked for a specific connected app or user, but they can be revoked collectively if necessary.

Revoking JSON Web Token (JWT)-Based Access Tokens

As you delve deeper into harnessing the capabilities of JSON Web Token (JWT)-based access tokens within Salesforce, it’s essential to understand how to effectively manage these tokens, especially when the need arises to revoke them. Revoke, in this context, implies invalidating the signing keys of these tokens, effectively terminating all associated user sessions. This process ensures security and control over the access granted through these tokens. Let’s explore the intricacies of revoking JWT-based access tokens and the necessary steps to accomplish this.

Revoke for Enhanced Control

Revoking JWT-based access tokens becomes necessary in scenarios where you need to swiftly terminate a user’s access to Salesforce resources. Whether it’s due to security concerns or changes in user privileges, the ability to revoke these tokens provides you with enhanced control over your Salesforce ecosystem.

Required Editions and User Permissions

This revocation functionality is available in both Salesforce Classic and Lightning Experience.

To successfully manage and revoke these tokens, certain user permissions are required. These permissions ensure the proper customization and management of your connected apps:

  • To manage connected apps (read, create, update, delete), you need “Customize Application” permission along with either “Modify All Data” or “Manage Connected Apps” permission.
  • For more specific access, such as updating Profiles, Permission Sets, and Service Provider SAML Attributes, you need “Customize Application,” “Modify All Data,” and “Manage Profiles and Permission Sets” permissions.
  • For consumer key and secret rotation, the “Allow consumer key and secret rotation” permission is needed.
  • To install and uninstall connected apps, “Customize Application” and either “Modify All Data” or “Manage Connected Apps” permissions are required.
  • Additionally, for installing and uninstalling packaged connected apps, “Customize Application,” “Modify All Data,” “Manage Connected Apps,” and “Download AppExchange Packages” permissions are necessary.

The Revocation Process

Revolving JWT-based access tokens involve a few straightforward steps:

  1. From the Setup menu, navigate to the Quick Find box and search for “OAuth,” then select “OAuth and OpenID Connect Settings.”
  2. Within the OAuth and OpenID Connect Settings, locate the “Revoke Tokens” option.
  3. Upon initiating the revocation process, you’ll encounter a warning message. If you decide to proceed, click “Revoke” once again to confirm.

It’s important to note that when revoking JWT-based access tokens, refresh tokens associated with them are not automatically revoked.

The ability to revoke JSON Web Token (JWT)-based access tokens provides you with an essential tool to maintain security, control, and compliance within your Salesforce ecosystem. Whether it’s a change in user access or a security concern, the straightforward revocation process ensures that access is promptly terminated and sensitive resources are safeguarded. By understanding the required permissions and following the steps outlined above, you can confidently manage and control token access within your Salesforce instance, contributing to a secure and well-managed environment.

Embracing Efficient Integration

JSON Web Token (JWT)-based access tokens offer a transparent and efficient way to authenticate your connected app’s interactions with Salesforce resources. Their structured format, encompassing headers, payloads, and signatures, ensures secure communication while providing valuable user, app, and token information. By enabling JWT-based access tokens, you pave the way for seamless integration and improved performance within your Salesforce ecosystem. So, embrace the power of JWT-based access tokens and unlock a new level of integration capabilities.

About the blog

SFDCLessons is a blog where you can find various Salesforce tutorials and tips that we have written to help beginners and experienced developers alike. we also share my experience and knowledge on Salesforce best practices, troubleshooting, and optimization. Don’t forget to follow us on:

Newsletter

Subscribe to our email newsletter to be notified when a new post is published.

  • einstein-chat-bot
    How To Create an Einstein Bot in Salesforce?
    by Dorian Sabitov
    Salesforce Einstein Bot is a multilingual, automated customer service tool that improves customer interactions and reduces costs.
  • Salesforce Classic Encryption for Custom Fields Explained
    by Arun Kumar
    Salesforce Classic Encryption for Custom Fields allows users to encrypt custom text fields and control access to sensitive information at no additional cost.
  • The 10 Must-Know LWC Wire Adapters in Salesforce
    by Arun Kumar
    Salesforce’s Lightning Web Components (LWC) has revolutionized UI development with Wire Service (Wire Adapters), enabling effective communication with the Salesforce platform. This post explores ten popular LWC wire adapters, which fetch and manipulate data efficiently.
  • The Magic of Lightning Web Components (LWC) Wire Adapter
    by Arun Kumar
    Salesforce LWC Wire Adapter streamlines data flow, enhances modularity, and ensures code quality through automatic updates and loose coupling principles.
  • maximize-user-interaction-graphql-lwc-toast
    Maximize User Interaction: GraphQL, LWC, and Toasts
    by Arun Kumar
    This blog proposes a solution for improving user experience in Salesforce development. It addresses the problem of unclear messages when users don’t have access to specific records. The solution includes using GraphQL for efficient data fetching, Lightning Web Components for a responsive interface, the onrowaction event in lightning-datatable for smoother interactions, and custom toast messages for clearer communication. These strategies aim to create efficient and user-friendly applications.
Tags: , ,

Arun Kumar

Arun Kumar is a Salesforce Certified Platform Developer I with over 7+ years of experience working on the Salesforce platform. He specializes in developing custom applications, integrations, and reports to help customers streamline their business processes. Arun is passionate about helping businesses leverage the power of Salesforce to achieve their goals.

Leave a Reply