How To: Salesforce Authentication with Firebase/PHP-JWT
What is Firebase/PHP-JWT?
- You can find the firebase/php-jwt library on GitHub.
- This library is a lightweight and straightforward implementation specifically designed for working with JWTs in PHP.
- It focuses on the basic functionalities of JWTs, such as encoding, decoding, and validating tokens.
- firebase/php-jwt is well-documented and relatively easy to set up and use.
- It is specifically optimized for use with Firebase services and integrates smoothly with Firebase Authentication.
- If you have simple JWT requirements and prefer a more streamlined approach, firebase/php-jwt might be easier to get started with.
Setting up a new Salesforce Connected App
First you need to create a connected app in Salesforce by following these steps:
- Sign in to your Salesforce account.
- Click on “Setup” in the top right corner.
- Search for “Apps” in the Quick Find search box and then click on “App Manager”.
- Click on “New Connected App”.
- Fill in the necessary information. Make sure to check “Enable OAuth Settings”.
- In “Selected OAuth Scopes”, add the required scopes.
- For “Use Digital Signatures”, upload your certificate file.
- Click on “Save” to create the Connected App.
- Note down the Consumer Key and Consumer Secret, you’ll need them for later steps.
Where do I get my certificate file?
Step 7 above can be a little confusing. You need to generate a private key from the server the API will be calling from. You can do this using openssl.
Step 1: Generate a Private Key
You can generate a private key using the following command:
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
This command creates a 2048-bit RSA private key and stores it in the file named “private_key.pem”.
Step 2: Generate a Self-Signed Certificate
After generating a private key, you can create a self-signed certificate using the following command:
openssl req -new -x509 -key private_key.pem -out cert.pem -days 365
In this command:
- The
-new
option indicates that a new certificate request should be generated. -x509
tells OpenSSL that a self-signed certificate should be created instead of a certificate request.-key
specifies the file to read the private key from.-out
specifies the output filename to write to or standard output if this option is not specified.-days
specifies how long the certificate is valid for.
The output file, in this case “cert.pem”, is the self-signed certificate.
Now you have both a private key and a self-signed certificate. Remember to keep your private key secure.
Step 3: Upload the Certificate to Salesforce
The self-signed certificate you just created should be uploaded to Salesforce when you are creating the connected app. You can do this under the “Use Digital Signatures” section in the connected app settings.
It’s worth noting that the Salesforce server only needs the public key to verify signatures. This is contained within the certificate. The private key should remain secret and kept safe on your server. Do not include the certificate inside your public root, keep it outside of this folder. You use it to sign the JWT, and Salesforce uses the public key to verify the signature.
Installing firebase/php-jwt with Composer
Using composer installation is easy by running this command:
composer require firebase/php-jwt
The following code is an example of a PHP script to retreive your authentication token:
use \Firebase\JWT\JWT; require 'vendor/autoload.php'; $privateKey = 'path_to_private_key_file'; $clientId = 'salesforce_client_id'; $username = 'salesforce_username'; $tokenPayload = [ 'iss' => $clientId, 'sub' => $username, 'aud' => 'https://login.salesforce.com', 'exp' => time() + 3600, // Token expiration time ]; $jwtToken = JWT::encode($tokenPayload, file_get_contents($privateKey), 'RS256'); $url = 'https://login.salesforce.com/services/oauth2/token'; $postData = http_build_query([ 'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $jwtToken, ]); $curl = curl_init($url); curl_setopt($curl, CURLOPT_POST, true); curl_setopt($curl, CURLOPT_POSTFIELDS, $postData); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($curl); curl_close($curl); $response = json_decode($response); $authToken = $response->access_token;
Note that you will need to replace “path_t0_private_key_file”, “salesforce_client_id” (also called the consumer key from your connected app), and “salesforce_username” with your own information.
Any custom code you would like to use after this authentication will now work by passing your $authToken we returned back. Ideally you would create a function for authentciation that you can just include in any of your API scripts.
Need a custom Salesforce integration? Contact us today for an estimate!