Skip to content

Add support for JWT Bearer Flow #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AndrewRayCode opened this issue Apr 7, 2023 · 1 comment
Open

Add support for JWT Bearer Flow #97

AndrewRayCode opened this issue Apr 7, 2023 · 1 comment

Comments

@AndrewRayCode
Copy link

This library does not support the required and best practice authentication mechanism of the "JWT Bearer Flow" https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_jwt_flow.htm&language=en_US&type=5 .

This is the standard way of doing machine to machine OAuth. You have support for setRefreshToken() but this isn't helpful as the standard JWT bearer flow Oauth is what you need to to in order to get a token in the first place. Semi-related, the Ruby restforce gem has similar confusion and missing features around JWT bearer flow.

FWIW here's what it looks like in a Postman pre-request script to get a proper access token with Salesorce, where you build a JWT with claims, sign it with the private key (part of the JWT bearer flow), and gets back an access token that's valid for a few hours:

var navigator = {};
var window = {};

const jwt_header = {
  "alg": "RS256",
  "typ": "JWT"
};
const jwt_claims = {
  "iss": pm.collectionVariables.get("SALESFORCE_CONSUMER_KEY"),
  "sub": pm.collectionVariables.get("SALESFORCE_USERNAME"),
  "aud": "https://test.salesforce.com",
  "exp": Date.now() + 10000
};
const private_key = atob(pm.collectionVariables.get("SALESFORCE_PRIVATE_KEY"));

pm.sendRequest({
  url: 'http://kjur.github.io/jsrsasign/jsrsasign-latest-all-min.js',
  method: 'GET'
}, function (err, res) {
    eval(res.text());

    const signedJwt = KJUR.jws.JWS.sign('RS256', JSON.stringify(jwt_header), JSON.stringify(jwt_claims), private_key);
    // console.log('Assertion to send to Salesforce:', signedJwt);

    pm.sendRequest({
    url: pm.collectionVariables.get("SALESFORCE_TOKEN_URL"),
    method: 'POST',
    header: {
        'Accept': 'application/json',
        'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: {
        mode: 'urlencoded',
            urlencoded: [
            { key: "grant_type", value: "urn:ietf:params:oauth:grant-type:jwt-bearer", disabled: false },
            { key: "assertion", value: signedJwt, disabled: false}
        ]
    }
    }, function (err, res) {
        console.log('Auth err:', err, ' Auth res', res.json());
        pm.environment.set("instance_url", res.json().instance_url);
        pm.environment.set("authorization", res.json().access_token);
    });

});

It looks like this library may be abandonware, are there any forks which add this required auth mechanism?
@jesperfj
Copy link
Owner

This library is indeed pretty old and is not receiving my attention on a regular basis. But I do check in on it now and then, so it's not complete abandonware :-)

It definitely makes sense to add JWT Bearer Token support. I don't know when Salesforce added support for that. I'll try to get around to it one of these days. Feel free to submit pull requests with test coverage!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AndrewRayCode @jesperfj