Salesforce Asked by Andy Ray on November 11, 2021
Salesforce implements a non-standard client credentials OAuth flow for connected apps that want to do machine to machine authorization. Standard OAuth flow only requires a client ID and secret, while Salesforce requires a key, secret, and private key/certificate pair, and offers no explanation for not following the standard.
The certificate is uploaded to the connected app, and the external machine uses the private key of that cert as part of authentication. What happens when the uploaded certificate expires? Will connections to the application fail?
Emails will send automatically when certificates generated in the "Certificate and Key Management" page are approaching expiring. No such service is offered for connected app certs. So what happens when an app cert expires?
oAuth client credentials grant type is not supported by Salesforce at all. As you have discovered, in the Salesforce world a recommended alternative for service-to-service calls is JWT Bearer. It is standardized (RFC 7523), Salesforce was one of the RFC editors/authors.
When the app cert expires, nothing happens. From SF product management:
this is by design. Thought process is that that certificate is issued by another party whose responsibility it is to enforce the expiration. The behavior we have is tolerant of lapses in cert management.
Fortunate or unfortunate, that's the current behavior. From a standards' perspective this is a grey area - the signature on JWT is still valid and the public key contained within the certificate is still valid. It may be reasonable to assume that if a certificate acting as a container for public key has expired, Salesforce acting as the oAuth authorization service should not be able to use this public key to verify the signature on the incoming JWT. While this might be a common sense conclusion it's not explicitly spelled out in oAuth or JWT specifications.
According to the doc, you do get notified when the cert expires on the connected app. We have not seen this happen, thus suggesting workarounds below.
One workaround to lack of notification on expired cert is to upload the very same cert to Certificates and Key Management. Unfortunately you can't just upload a cert on its own, Certificates and Key Management (CKM) requires a keypair. You could import a keypair from a keystore in JKS format or generate a signing request via CKM, have your CA sign it and then import the result.
Another workaround is to create a process that looks at the cert attached to the connected app, determines if it's expired and sends a notification. This is far from trivial but doable.
Answered by identigral on November 11, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP