Integration Through JWT FLOW | Server-to-Server Integration | Salesforce

JWT Integration

1. This is used for Server-to-Server Integration Scenarios. 
2. This Flow Uses a certificate to sign the JWT request and doesn’t require explicit user interaction. However, this flow does require prior approval of the client app. 
3. Like Web Server Flow it is also Highly Secured. 
4. It did not provide Refresh Token like Web Server Flow. 
5. It Only generates an Access token. 
6. We can’t see the AccessToken in Debug log for Security Purposes.

JWT Structure

1. Header- {“alg ”:”RS256”} 
2. PayLoad (It Contains Claims Information which is an object containing information about the user and additional data.) 
3. The Parameters of JWT :

4. {
       “ISS”   - issuer(ClientId)
       “Sub”  - UserName
       “Aud”  - Audience
       “Exp” - Expiration time in UTC format 
   }

   Signature: <Headerbase64encodedurl>.<Claimbase64encodedclaims><Signature(use algorithm like RS256)> 

Don't forget to check out: Integration Using Named Credentials | Salesforce Developer Guide

Certificate And Private Keys

1. In JWT refresh token is not used. It only uses a refresh token but for generating the refresh token we need a certificate and private keys. 
2. We Use OPENSSL App for generating the Certificate and Private Keys. 

The Command for Generating The Certificate and Private Keys

Generate a private key, and store it in a file called server.key as follows:

openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048

openssl rsa -passin pass:SomePassword -in server.pass.key-out server.key 

Generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr. Enter information about your company when prompted. 

openssl req -new -key server.key-out server.csr  

Generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt. 

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key-out server.crt 

1. Copy the crt contents to a notepad and save this file with .pem extension. 
   

   Commands For Converting The Server.crt file to JKS Format

2. openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 
3. keytool -importkeystore -srckeystore abc.p12 \
           -srcstoretype PKCS12 \
           -destkeystore abc.jks \
           -deststoretype JKS 
4. default alias is 1 

This Server.crt Certificate is used in the Signature field in The Connected App. 

Import the JKS Format File In the Certificate And KeyManagement where Connected App is not Present. 

Check out another amazing blog by Mohit here: Named Credentials as Callout Endpoints - Salesforce Developer Guide

Code where we use this JKS certificate to Authorize An Org:

Reference Form Salesforce:  

https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_class_Auth_JWTBearerTokenExchange.htm 

Or  

We Can Skip this Part and Use Named Credential To generate an AccessToken by JWT Token Exchange Authentication Protocol. 

After Successfully Generating AccessToken: 

Here it Shows: Session Id Removed which means AccessToken Has been Successfully Generated but for Security purposes, we can’t debug it.