When setting up a named credential with Identity Type as Named Principal, two options are shown for JWT : JWT & JWT Token Exchange
Could anyone explain what is the difference between the two?
When JWT exchange is selected, two additional attributes Scope and Token Endpoint URL are shown.
This kind of makes sense to me, that the URL attribute in the top is the endpoint url for the service to which, the call needs to be made and the token endpoint url is the one for which the JWT will be sent to get the access token.
Other than that, I am not sure, what is the difference.
When JWT is selected instead of JWT Exchange, Does salesforce assume that service end point url and the authentication token endpoint url are same?
Best Answer
JWT Token: SF will issue the token for you. When your code uses the named credential to call your 3rd party service, SF will send the newly issued JWT token to your 3rd party service as a bearer token (a type of access token).
JWT Token Exchange: SF will issue a JWT and send it to the external authorization service. The authorization service will exchange the provided JWT token for the access token. When your code uses the named credential to call your 3rd party service, SF will send the access token received from authorization service to your 3rd party service as a bearer token. The Scope is the scope of the access token you're requesting and Token Endpoint URL is the endpoint of the authorization service.
The "service endpoint URL" (URL field on the Named Credential screen) is definitely not the same as the Token Endpoint URL.
You would use JWT Token option if the 3rd party service you're calling supports JWT as a bearer token for authorization.
You would use JWT Token Exchange option if
This flow is very similar to oAuth JWT Bearer flow that SF supports for inbound calls.