Generating a JWT Assertion

Perform the following steps in Salesforce to generate a JWT Assertion:

Construct a JWT header with the following format:

{"alg":"RS256"}

Encode the header with Base64url.
Construct a JSON Claims Set for JWT with the following parameters and encode with Base64url:
- iss – The issuer must contain the OAuth client_id for the connected app for which you registered the certificate.
- aud – The audience identifies the authorization server as an intended audience. The authorization server must verify that it is an intended audience for the token. Use the authorization server’s URL for the aud if you are using the following values:
  
  https://login.salesforce.com
  
  https://test.salesforce.com
  
  or use the following if you are implementing for a community.
  
  https://community.force.com/customers
- sub – The subject must contain the username of the Salesforce user or the Salesforce community user if implementing for a community. For backward compatibility, you can use principal (prn) instead of subject (sub). If both are specified, prn is used.
- exp – The validity must be the expiration time of the assertion within 3 minutes, expressed as the number of seconds from 1970-01-01T0:0:0Z measured in UTC.
  
  The following is an example for JSON Claim Set for JWT.
  Copy
```
{"iss": "3MVG99OxTyEMCQ3gNp2PjkqeZKxnmAiG1xV4oHh9AKL_rSK.BoSVPGZHQ
ukXnVjzRgSuQqGn75NL7yfkQcyy7",
"sub": "my@email.com",
"aud": "https://login.salesforce.com",
"exp": "1333685628"}
```
Create a string for the encoded JWT Header and the encoded JWT Claims Set in this format.

encoded_JWT_Header + "." + encoded_JWT_Claims_Set
Download the X509 Certificate from JKS.
Sign the resulting string using RSA SHA256.

Create a Assertion string in the following format.

existing_string(Created in step 3) + "." + base64_encoded_signature

API request to generate Access Token from JWT assertion:

Copy

POST /services/oauth2/token HTTP/1.1
Host: login.example.com
Content-Type: application/x-www-form-urlencoded
grant_type= urn:ietf:params:oauth:grant-type:jwt-bearer&
assertion=eyJpc3MiOiAiM01WRz...[omitted for brevity]...ZT

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Generating a JWT Assertion

Documentation Feedback