[SalesForce] Salesforce connecting to a JWT service via Named Credentials – JWT Token Exchange

Use Case I would like to prepare a demo for a client where we can from Salesforce access a third-party API.

The authentication protocol for the external third-party API is

  1. SF will issue a JWT and send it to the external authorization service.
  2. The authorization service will exchange the provided JWT token for the access token.
  3. When calling the 3rd party service, SF will send the access token received from authorization service to your 3rd party service as a bearer token.

Let's assume that the third-party API authorization service supports JWT as a bearer token for authorization.

Salesforce Org1 to Salesforce Org2 To verify the above I have set up two Salesforce Orgs. In one Salesforce Org1 I have set up a Connected App (see below). I have also created a self singed certificate to be configured in the Connected App.

enter image description here

Certificate
enter image description here

I then tested that I can connect to Salesforce Org1 Connected App from Mulesoft (see below):

enter image description here

From Mulesoft I can now access the APIs exposed by the Salesforce Org1. However, what I have done next is to set up another Salesforce Org2 to call the APIs on Salesforce Org1. The final outcome is to show that from Named Credentials from Salesforce Org2 I can consume the APIs on Salesforce Org1 using the JWT Token Exchange option.

I then need to set up a Named Credentials. Can anyone explain what do I need to enter in the fields in the screenshot below? Is the issuer field the email address of the administrator that set up the Connected App in Salesforce Org1? In particular the JWT Signing Certificate. I do not have any Certificate in my Salesforce Org2 yet.

enter image description here

Thank you 🙂

Best Answer

Here is the configuration I have to have Salesforce 2 calling Salesforce 1 API:

In Salesforce 2: Named Credentials

  • Certificate: using one created from Salesforce 2 (Certificates and Key Management)
  • Identity Type: Per User
  • Authentication Protocol: JWT Token Exchange
  • Token Endpoint URL: https://login.salesforce.com/services/oauth2/token
  • Scope: api web refresh_token offline_access
  • Issuer: consumer key of connected app created in Salesforce 1
  • Per User Subject: username within double quotes of user in Salesforce 1 (ex: "myusername@example.com")
  • Audiences: https://login.salesforce.com
  • Token Valid For: 1 hour
  • JWT Signing Certificate: same as certificate

In Salesforce 1: Connected App

  • Using digital certificate with the one provided by Salesforce 2
  • Scopes: web, api, refresh_token and offline_access
  • Policies:
    • Permitted Users: Admin approved users are pre-authorized
    • Added admin profile for testing purposes

Calling Salesforce1 API:

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:Trailhead_JWT/sobjects/Account/001...');
req.setHeader('Accept', 'application/json');
req.setHeader('Content-Type', 'application/json');
req.setMethod('GET');
System.debug(req);
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

Let me know if it helps !

Related Topic