Salesforce Asked by chale on November 30, 2021
I build a third-party application that integrates with Salesforce using the REST API (connected app). We hit /services/oauth2/token
to get a token for the user, then we verify the token using the associated RSA key from https://login.salesforce.com/id/keys
. Here’s the problem. In the past two months, we’ve started to get intermittent failures. You’ll notice if you go to https://login.salesforce.com/id/keys and then refresh the page a couple times, you get random responses. You can tell by looking at the "kid"
fields in the JSON. Often "kid": "222"
is not present, for instance.
Is this expected from this endpoint? I would assume not seeing as we only started getting errors from this in the past two months when we’ve had this integration for a couple years.
I’ve also noticed that hitting the /id/keys
endpoint from an org-specific domain like https://na49.lightning.force.com/id/keys always returns a consistent result, but never includes "kid": "228"
like https://login.salesforce.com/id/keys
sometimes does.
So is it safe to use the org-specific domain since it’s consistent? Or does my server need to handle the inconsistency in order to support "kid": "228"
?
There's a chain of custody you have to follow when retrieving the public key: the iss
(Issuer) of the id_token
you're trying to verify determines the location of the keys. By default, the issuer will be login.salesforce.com
for a production org but (for example) a community hosted in the same org will have a different issuer.
If the id_token
issued by SF does not have a corresponding public key in the JSON Web Key Set (JWKS), then you can't validate the signature on the token and therefore cannot rely on this token. (Correspondence is established via kid
). As far as your client acting in the capacity of OpenID Connect Relying Party is concerned, when token validation fails not using this token is your only app-level, programmatic recourse.
You could complain to Salesforce that you can't validate id_token
due to a missing key. We haven't seen such a scenario but if you have evidence of this, please let Salesforce know by opening a support case.
Answered by identigral on November 30, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP