6

I'm writing an application to sync some data from a service to salesforce and back. I'm working with a developer account and so far I was able to implement the bulk of the needed functionality merely using OAuth password authentication.

Now I want to begin to use a real, more secure, authentication/authorization scheme. JWT seems to be the best way for a server to talk to salesforce.

My question is:

How to share certificates between the two?

Should I ask the user to create a new app and certificate providing it to me (this defeats the point of having an "app")?

Should I provide the public certificate to the client so he can install it in his keystore? (this would be optimal since there is no secret sharing but still trust between the app and salesforce)

LoG
  • 161
  • 6

1 Answers1

5

The JWT Authentication Flow can be initiaded using the usual OAuth2 Authorization Flow.

Setup:

  • Setup the App, get the required client_key and client_secret Build > Create > Apps
  • Create a new Keypair using the Salesforce page Administer > Security Controls > Certificate and Key Management. Both the public and private key can (and should) be saved.
  • Attach the public key to the previously created application Setup > Build > Create > Apps

Usage:

The app will need to be Authorized on the client account. It will inherit all the access permissions of the user. As usual the only way to Authorize the app is OAuth2 (I should have seen it coming).

In the end the app will need to be autorized by the user, the client's instance will add the public certificate of the app to it's own trusted keystore and finally happily decrypt the JWT. There is no formal certificate exchange, it is implicit in the OAuth Authorization.

I only wish SF's documentation could be a bit better at explaining the keyword Authorization. Sometimes it is not clear.

LoG
  • 161
  • 6