[SalesForce] Named credential: How to set up JWT

This is my first time setting up Named credentials with JWT, and I am a little bit confused. Currently to test the external api I am using postman:

Method:Post: https://api.xxx.com.au/login

{
"username": "myuser",
"password": "mypasswordabc123"
}

this returns

{
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiO.....",
    "refresh_token": "986db6f83dbc...."
}

then I can do a normal API using bearer token (the token value) and POST method to https://api.xxxx.com.au/bbb1

the problem that i am facing is, when I am going to create the named creential in salesforce, they are a lot of compulsory fields requested that I cant identify,not sure if this missing in the external doc, or is my unexperience with JWT

Issuer: (Specify who issued the JWT using a case-sensitive string): The external provider should provide me with this information? or is this the login URL? https://api.xxx.com.au/login

Named Principal Subject: (Static text, without quotes, that specifies the JWT's Subject for all token requests) is this the internal user in salesforce who will
be doing the API

Audiences: (External Service or other allowed recipients for the JWT. Store each audience as a case-sensitive string on a new line.)
Token Valid for (the external resource documentation doesnt say if it actually expires so I guess 1 day is good, and each day will re grab the token)

When I run the following

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:NewCredential_JWT/bbb1');
req.setMethod('POST');
req.setBody('{"value": "myVal"}');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

I get the error, in Named credential JWT there is no option to add the username and password, as I did in postman

{"code":401,"message":"Invalid JWT Token"}

Not sure what I am missing

Best Answer

It looks like the JWT is issued by your target service @ https://api.xxx.com.au/login when you send in username/password. JWT feature of Named Credential is to have Salesforce issue JWT, a different use case. The token is signed by a private key so the issuer of the token (Salesforce vs your service) makes a difference, you can't mix and match them.

Related Solutions

[SalesForce] Using Named Credentials with OAuth 2.0 username & Password Authentication

As long as the Connected App you're using allows the refresh_token scope, salesforce will explicitly handle your OAuth session, including refreshing expired access tokens. Make sure you specify the correct values in the Scope field when creating the Named Credential. Just follow the directions exactly as specified in the blog post you've linked, and you should be good to go. Note that once you've configured this correctly, there's no need to call /services/oauth2/token, because you'll automatically have your access token maintained for you.

[SalesForce] Show user profile image – third party site

You might be able to add something to the headers or the page to be able to access the actual photo url, but I'd avoid the whole thing & provide the photo in another form, either in base64, or as a publicly linked (you can set up "private" links as well) ContentVersion.

Base64

Get PhotoUrl
Get PageReference Content
Save into field/return with other data
Use on page with img tag

Downsides: Spotty support (never had a problem unless its an email), large amount of text, may need to return per request depending on how you set your page up (best used as a saved database entry instead of getting a value with each request)

ContentVersion

Get the photo url
Create new content version
Upload Blob of User photo to the version
Share using built in link feature
Save link back to user (needs own context)
Return Link Url with user record
Display link on page

Downsides: Link is likely public to anyone with a copy of it, Setting this up to happen automatically is a pain, since you cant update a setup object & a non-setup object in the same context, Lots of extra objects involved to get the data to be shareable (ContentDocument, ContentVersion, User, etc)

Base64 Sample Code (Should run in dev console):

public static String GetBase64Content(String url) {
    String Base64Content = 'data:image/png;base64, '; 

    if (url != null) {
        PageReference imageSource = new PageReference(url); 

        Blob b = imageSource.getContent();

        Base64Content += EncodingUtil.base64Encode(b); 
    }

    return Base64Content; 
}

User u = [
    SELECT Id, FullPhotoUrl 
    FROM User 
    WHERE Id = :UserInfo.getUserId()
    LIMIT 1
];

String content = GetBase64Content(u.FullPhotoUrl);

// use like: 
// <img src="{!content}" />

You may need to store the base64 result either in a long/rich text field or in a json object, depending on how your server handles the data.

ContentVersion Demo

Creates a contentVersion using the blob from the users FullPhotoUrl, set to "publicly available", which creates a ContentDistribution, which you can query & get the ContentDownloadUrl from, which you can use in an img tag or store somewhere. Could be useful to create base64 or binary files on a target server.

private static ContentVersion CreateVersion(User u, Blob body) {
    return new ContentVersion(
        // https://salesforce.stackexchange.com/questions/117113/migrating-chatter-files-attached-to-feed-comments
        OwnerId = UserInfo.getUserId(), // Has to be running user - won't be able to create otherwise.. 
        VersionData = body,
        Title = 'Profile Photo of ' + u.Name,
        PathOnClient = 'profilePhoto.png',
        Origin = 'H',
        Profile_Image_Owner__c = u.Id, 
        Externally_Available__c = true,
        FirstPublishLocationId = LibraryId  // Used Custom setting w/ specific id, should replace with target dir 
    );
}

User u = [
    SELECT Id, FullPhotoUrl 
    FROM User 
    WHERE Id = :UserInfo.getUserId()
    LIMIT 1
];

ContentVersion version = CreateVersion(u, new PageReference(u.FullPhotoUrl).getContent());

insert version;

ContentDistribution dist = [
    SELECT Id, DistributionPublicUrl, ContentDownloadUrl
    FROM ContentDistribution
    WHERE ContentVersionId = :version.Id
];

// Use like so:
// <img src="{!dist.ContentDownloadUrl}" />

// Need to update user to attach content url/id in a seperate context 
// Could also save user id to document & query, or return id in response from server

Best Answer

Related Solutions

[SalesForce] Using Named Credentials with OAuth 2.0 username & Password Authentication

[SalesForce] Show user profile image – third party site

Related Topic