Create or Edit an OAuth External Credential with the JWT Bearer Flow
An OAuth 2.0 external credential that uses the JWT Bearer Flow sends a JWT (JSON Web Token) to an authorization provider in exchange for a token. The returned tokens authenticate calls to the endpoint defined in the named credential.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: all editions |
| User Permissions Needed | |
|---|---|
| To view external credentials: | View Setup and Configuration |
| To create, edit, or delete external credentials: | Manage Named Credentials or Customize Applications |
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click External Credentials.
- To create a new external credential, click New. To edit an existing external credential, click its link in the list of external credentials and then click Edit.
- Complete the fields.
Field Description Label A user-friendly name for the external credential that’s shown in the Salesforce user interface, such as in list views. Name A unique identifier that’s used to refer to this external credential from callout definitions and through the API.
The name can contain only underscores and alphanumeric characters. It must be unique, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
Authentication Protocol Select OAuth 2.0. Authentication Flow Type Select JWT Bearer Flow. See Authentication Protocols for Named Credentials. Scope Optional. Specifies the scope of permissions to request for the access token. A scope declared here is a credential-level scope that applies to all callouts that use this credential. Your authentication provider determines the allowed values. See OAuth Tokens and Scopes and Use the Scope Parameter.
The Scope field accepts static values and formulas. This example uses the
session:rolescope to request access dynamically based on each user’s department.{!"session:role:" + $User.Department}When you set the credential’s scope, keep these considerations in mind.
- The value that you enter replaces the Default Scopes value that’s defined in the specified authentication provider.
- A scope can affect whether each OAuth flow prompts the user with a consent screen.
Identity Provider URL The URL of the identity provider to send the JWT (JSON Web Token) to in exchange for an access token. Signing Certificate A certificate from an identity provider, via a CA (certificate authority), or registered with an identity provider, and uploaded to Salesforce through Certificate and Key Management. Signing Algorithm Select from RS256 (default) or RS512. Additional Status Codes for Token Refresh Specify HTTP status codes that trigger Salesforce to refresh expired or invalid access tokens, in addition to the standard 401response. - (Optional) Modify some default JWT claims for an external credential or create your own
custom claims.External credentials that use JWT authentication have JWT claims that assert attributes about tokens, such as time of expiration. See Set Up JWT Claims for Named Credentials.
- Save the external credential.
Create Principals
After you create an external credential that uses OAuth authentication with the JWT Bearer Flow, create principals for it. You link an external credential to permission sets or user profiles through principals, and at run time, the platform ensures that the user has the permission set before accessing the remote system.
- On the Named Credentials page, click External Credential.
- Select the external credential that you created.
- Scroll to Principals.
- To create a principal for the external credential, click New or
select Edit from the Actions menu of an existing principal.When editing an existing principal, not all the fields listed here are modifiable.
- Enter the information for the principal.
Field Description Parameter Name Enter a name for the principal, such as Admin or Marketing Group. Sequence Number Assign a sequence number. A sequence number specifies the order of principals to apply when a user participates in more than one principal. For example, a user could be part of multiple permission sets that are applicable for a credential provider. Priority is from lower to higher numbers. Identity Type Choose either Named Principal or Per User Principal.
You can set up each external credential to use an org-wide named principal or per-user authentication. A named principal applies the same credential or authentication configuration for the entire org, while per-user authentication provides access control at the individual user level.
Scope Optional. To provide access parameters on a per-principal basis, enter a principal-level scope. This scope is in addition to the optional credential-level scope.
Credential-level and principal-level scopes are concatenated together in callouts and sent as a space-separated list. These scopes overwrite an authentication provider’s default scopes, if the appended list is non-null.
This example uses a principal-level scope to link a group of authenticated users to roles on an external site. The scope is
session:role:<role>. If a user has Sales or Service in their department name, the scope is set assession:role:Salesorsession:role:Service.{!IF(OR(CONTAINS($User.Department, "Sales"), CONTAINS($User.Department, "Service")), "session:role:" + $User.Department, "")} - Save the principal.You can’t modify the Principal Name and Identity Type of an existing principal. To change these parameters, delete the principal and recreate it.
- Now that you created the external credential and its principal, it’s time to create the
connected name credential. See Create or Edit a Named Credential. For an overview of all of the steps required to configure a named credential, see Create Named Credentials and External Credentials.
