Newer Version Available

This content describes an older version of this product. View Latest

JWTUtil Class

Contains methods for validating a JSON Web Token (JWT) from an external identity provider as part of the OAuth 2.0 token exchange flow. Use these methods as part of the validateIncomingToken method in the Auth.Oauth2TokenExchangeHandler class.

Namespace

Auth

Usage

See Token Exchange Handler Validation and Subject Mapping.

If the methods in this class fail, Salesforce returns an Auth.JWTValidationException exception.

JWTUtil Methods

The following are methods for JWTUtil.

parseJWTFromStringWithoutValidation(incomingJWT)

Parses a JWT from an encoded string into a header, payload, and signature. Use this method to decode the JWT without validating it.

Signature

public static Auth.JWT parseJWTFromStringWithoutValidation(String incomingJWT)

Parameters

incomingJWT
Type: String
The JWT from your identity provider.

Return Value

Type:Auth.JWT

validateJWTWithCert(incomingJWT, certDeveloperName)

Parses and validates the JWT using a certificate saved in Salesforce. The certificate can be self-signed or signed by a certificate authority.

Signature

public static Auth.JWT validateJWTWithCert(String incomingJWT, String certDeveloperName)

Parameters

incomingJWT
Type: String
The JWT from your identity provider.
certDeveloperName
Type: String
A certificate saved in the Certificate and Key Management page in Setup.

Return Value

Type: Auth.JWT

validateJWTWithKey(incomingJWT, publicKey)

Parses and validates the JWT using a public key from the external identity provider.

Signature

public static Auth.JWT validateJWTWithKey(String incomingJWT, String publicKey)

Parameters

incomingJWT
Type: String
The JWT from your identity provider.
publicKey
Type: String
The public key from your identity provider.

Return Value

Type: Auth.JWT

validateJWTWithKeysEndpoint(incomingJWT, keysEndpoint, shouldUseCache)

Parses and validates the JWT using a remote JSON Web Key Set (JWKS) endpoint on your external identity provider.

Signature

public static Auth.JWT validateJWTWithKeysEndpoint(String incomingJWT, String keysEndpoint, Boolean shouldUseCache)

Parameters

incomingJWT
Type: String
The JWT from your identity provider.
keysEndpoint
Type: String
A URL pointing to a valid JSON Web Key Set (JWKS) endpoint on your identity provider. The JWKS returned by the endpoint must conform to the specification defined in RFC 7517: JSON Web Key (JWK).
To test HTTP callouts to the JWKS endpoint, use the Auth.HttpCalloutMockUtil class.
shouldUseCache
Type: Boolean
Indicates whether the cache is overwritten with the JWKS after validation. If false, the cache is overwritten with the JWKS after each successful JWT validation. If true, the JWKS is cached only if there is no existing JWKS in the cache; if there is a cached JWKS, it isn't overwritten.

Return Value

Type: Auth.JWT