Newer Version Available
JWTUtil Class
Contains methods for validating a JSON Web Token (JWT) from an external identity provider
as part of the OAuth 2.0 token exchange flow. Use these methods as part of the validateIncomingToken method in the Auth.Oauth2TokenExchangeHandler class.
Namespace
Usage
See Token Exchange Handler Validation and Subject Mapping.
If the methods in this class fail, Salesforce returns an Auth.JWTValidationException exception.
JWTUtil Methods
The following are methods for JWTUtil.
parseJWTFromStringWithoutValidation(incomingJWT)
Parses a JWT from an encoded string into a header, payload, and signature. Use this
method to decode the JWT without validating it.
Signature
public static Auth.JWT parseJWTFromStringWithoutValidation(String incomingJWT)
Parameters
- incomingJWT
- Type: String
- The JWT from your identity provider.
Return Value
Type:Auth.JWT
validateJWTWithCert(incomingJWT, certDeveloperName)
Parses and validates the JWT using a certificate saved in Salesforce. The certificate can
be self-signed or signed by a certificate authority.
Signature
public static Auth.JWT validateJWTWithCert(String incomingJWT, String certDeveloperName)
Parameters
Return Value
Type: Auth.JWT
validateJWTWithKey(incomingJWT, publicKey)
Parses and validates the JWT using a public key from the external identity
provider.
Signature
public static Auth.JWT validateJWTWithKey(String incomingJWT, String publicKey)
Parameters
Return Value
Type: Auth.JWT
validateJWTWithKeysEndpoint(incomingJWT, keysEndpoint, shouldUseCache)
Parses and validates the JWT using a remote JSON Web Key Set (JWKS) endpoint on your
external identity provider.
Signature
public static Auth.JWT validateJWTWithKeysEndpoint(String incomingJWT, String keysEndpoint, Boolean shouldUseCache)
Parameters
- incomingJWT
- Type: String
- The JWT from your identity provider.
- keysEndpoint
- Type: String
- A URL pointing to a valid JSON Web Key Set (JWKS) endpoint on your identity provider. The JWKS returned by the endpoint must conform to the specification defined in RFC 7517: JSON Web Key (JWK).
- To test HTTP callouts to the JWKS endpoint, use the Auth.HttpCalloutMockUtil class.
- shouldUseCache
- Type: Boolean
- Indicates whether the cache is overwritten with the JWKS after validation. If false, the cache is overwritten with the JWKS after each successful JWT validation. If true, the JWKS is cached only if there is no existing JWKS in the cache; if there is a cached JWKS, it isn't overwritten.
Return Value
Type: Auth.JWT