Skip to main content

How To: Salesforce Authentication with Firebase/PHP-JWT

What is Firebase/PHP-JWT?

  • You can find the firebase/php-jwt library on GitHub.
  • This library is a lightweight and straightforward implementation specifically designed for working with JWTs in PHP.
  • It focuses on the basic functionalities of JWTs, such as encoding, decoding, and validating tokens.
  • firebase/php-jwt is well-documented and relatively easy to set up and use.
  • It is specifically optimized for use with Firebase services and integrates smoothly with Firebase Authentication.
  • If you have simple JWT requirements and prefer a more streamlined approach, firebase/php-jwt might be easier to get started with.

Setting up a new Salesforce Connected App

First you need to create a connected app in Salesforce by following these steps:

  1. Sign in to your Salesforce account.
  2. Click on “Setup” in the top right corner.
  3. Search for “Apps” in the Quick Find search box and then click on “App Manager”.
  4. Click on “New Connected App”.
  5. Fill in the necessary information. Make sure to check “Enable OAuth Settings”.
  6. In “Selected OAuth Scopes”, add the required scopes.
  7. For “Use Digital Signatures”, upload your certificate file.
  8. Click on “Save” to create the Connected App.
  9. Note down the Consumer Key and Consumer Secret, you’ll need them for later steps.

Where do I get my certificate file?

Step 7 above can be a little confusing.  You need to generate a private key from the server the API will be calling from.  You can do this using openssl.

Step 1: Generate a Private Key

You can generate a private key using the following command:

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

This command creates a 2048-bit RSA private key and stores it in the file named “private_key.pem”.

Step 2: Generate a Self-Signed Certificate

After generating a private key, you can create a self-signed certificate using the following command:

openssl req -new -x509 -key private_key.pem -out cert.pem -days 365

In this command:

  • The -new option indicates that a new certificate request should be generated.
  • -x509 tells OpenSSL that a self-signed certificate should be created instead of a certificate request.
  • -key specifies the file to read the private key from.
  • -out specifies the output filename to write to or standard output if this option is not specified.
  • -days specifies how long the certificate is valid for.

The output file, in this case “cert.pem”, is the self-signed certificate.

Now you have both a private key and a self-signed certificate. Remember to keep your private key secure.

Step 3: Upload the Certificate to Salesforce

The self-signed certificate you just created should be uploaded to Salesforce when you are creating the connected app. You can do this under the “Use Digital Signatures” section in the connected app settings.

It’s worth noting that the Salesforce server only needs the public key to verify signatures. This is contained within the certificate. The private key should remain secret and kept safe on your server. Do not include the certificate inside your public root, keep it outside of this folder. You use it to sign the JWT, and Salesforce uses the public key to verify the signature.

Installing firebase/php-jwt with Composer

Using composer installation is easy by running this command:

composer require firebase/php-jwt

The following code is an example of a PHP script to retreive your authentication token:

use \Firebase\JWT\JWT;
require 'vendor/autoload.php';

   $privateKey = 'path_to_private_key_file';
   $clientId = 'salesforce_client_id';
   $username = 'salesforce_username';

    $tokenPayload = [
        'iss' => $clientId,
        'sub' => $username,
        'aud' => 'https://login.salesforce.com',
        'exp' => time() + 3600, // Token expiration time
    ];

    $jwtToken = JWT::encode($tokenPayload, file_get_contents($privateKey), 'RS256');

    $url = 'https://login.salesforce.com/services/oauth2/token';

    $postData = http_build_query([
        'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
        'assertion' => $jwtToken,
    ]);

    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $postData);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

    $response = curl_exec($curl);
    curl_close($curl);
    $response = json_decode($response);
    $authToken = $response->access_token;

Note that you will need to replace “path_t0_private_key_file”, “salesforce_client_id” (also called the consumer key from your connected app), and “salesforce_username” with your own information.

Any custom code you would like to use after this authentication will now work by passing your $authToken we returned back.  Ideally you would create a function for authentciation that you can just include in any of your API scripts.

Need a custom Salesforce integration?  Contact us today for an estimate!

Managed WordPress Hosting

Leave a Reply