Troubleshooting User Verification

Problem: Keys Fail to Upload to Salesforce

If your keys fail to upload in Salesforce Setup, answer these questions.

• Does your key include these required properties: kty, kid, alg, x5c?
• Is the string in the x5c parameter base64-encoded?
• Did you upload each key individually? You can’t upload the keys in one single JSON array.
• Does your key follow the JWK structure outlined below? Your key must follow this structure.

Sample JWK Structure

{
    "kid":"123456",
    "alg":"RS256",
    "use":"sig",
    "kty":"RSA",
    "x5c":["<Your public certificate>"],
    "y":"y",
    "n":"<Base64-encoded modulus>",
    "e":"<Base64-encoded public exponent>",
    "crv":"crv",
    "d":"d",
    "k":"k"
}

In some cases, the key fails to upload because of issues related to the certificate. Answer these certificate-related questions.

• Has the certificate expired? The certificate must be valid for at least 10 days.
• Are you generating the keys using the public certificate? Don’t use the private certificate.
• Is your certificate valid? To test your certificate, refer to the certificate guidelines below.

Certificate Test Guidelines

1. Create an empty text file, and give it the .pem extension.
2. Add -----BEGIN CERTIFICATE----- to the beginning of the file.
3. Copy the certificate from the JWK into a file.
4. Add -----END CERTIFICATE----- to the end of the file.
5. Run this keytool command.

keytool -printcert -file <PublicCertFilename.pem>

This command prints the certificate if it’s a proper public certificate.

Problem: User Verification Fails with the Provided Token

If user verification fails because of an issue with your token, answer these questions.

• Does your token header include these properties? alg, typ, kid
• Does your token body include these properties? sub, iss, exp
• Is the JWK uploaded in Salesforce Setup? See Set Up Token-Based User Verification.
• Does the uploaded JWK have the same kid value as the kid value in the JWT? You can inspect an encoded token at JWT.io.
  

  Warning Don’t share production JWTs with other organizations and don’t paste production JWTs into sites or tools.
• Does your JWT use the same issuer as the issuer that you specified in Salesforce Setup?
• Was the JWT created using the same JWKS uploaded and configured with the Messaging Channel?
• Is the JWKS for the private key used to sign the JWT? If the uploaded JWKS isn’t for the private key used to sign the JWT, validation fails.
• Are the `n` (modulus) and `e` (exponent) properties of the key Base64 URL encoded? You must Base64-encode these values.
• Is the key identifier the same for the public/private certificate pair?
• Is the expiry date valid for the certificate uploaded in Salesforce Setup? Confirm that it was.