Newer Version Available
JWTUtil Class
Contains methods for validating a JSON Web Token (JWT) from an external identity provider
as part of the OAuth 2.0 token exchange flow. Use these methods as part of the validateIncomingToken method in the Auth.Oauth2TokenExchangeHandler class.
Namespace
Usage
See Token Exchange Handler Validation and Subject Mapping.
If the methods in this class fail, Salesforce returns an Auth.JWTValidationException exception.
JWTUtil Methods
The following are methods for JWTUtil.
parseJWTFromStringWithoutValidation(incomingJWT)
Parses a JWT from an encoded string into a header, payload, and signature. Use this
method to decode the JWT without validating it.
Signature
public static Auth.JWT parseJWTFromStringWithoutValidation(String incomingJWT)
Parameters
- incomingJWT
- Type: String
- The JWT from your identity provider.
Return Value
Type:Auth.JWT
validateJWTWithCert(incomingJWT, certDeveloperName)
Parses and validates the JWT using a certificate saved in Salesforce. The certificate can
be self-signed or signed by a certificate authority.
Signature
public static Auth.JWT validateJWTWithCert(String incomingJWT, String certDeveloperName)
Parameters
Return Value
Type: Auth.JWT
validateJWTWithKey(incomingJWT, publicKey)
Parses and validates the JWT using a public key from the external identity
provider.
Signature
public static Auth.JWT validateJWTWithKey(String incomingJWT, String publicKey)
Parameters
Return Value
Type: Auth.JWT
validateJWTWithKeysEndpoint(incomingJWT, keysEndpoint, shouldUseCache)
Parses and validates the JWT using a remote JSON Web Key Set (JWKS) endpoint on your
external identity provider.
Signature
public static Auth.JWT validateJWTWithKeysEndpoint(String incomingJWT, String keysEndpoint, Boolean shouldUseCache)
Parameters
- incomingJWT
- Type: String
- The JWT from your identity provider.
- keysEndpoint
- Type: String
- A URL pointing to a valid JWKS endpoint on your identity provider. The JWKS returned by the endpoint must conform to the specification defined in RFC 7517: JSON Web Key (JWK).
- shouldUseCache
- Type: Boolean
- Indicates whether the certificate from the keys endpoint is cached.
Return Value
Type: Auth.JWT