'Can I use a JWT from cognito (IdP is Salesforce with oidc) to query Salesforce API?

So, after a lot of Googling and tests on my side, I cannot figure out if this is even possible (kind of a newbie here with oidc + cognito + salesforce).

I have a need to authenticate my users via SSO with Salesforce as an identity provider. Then, I need to query for that specific user's information via Salesforce API. I want to avoid an extra oauth flow if possible since theoretically I have my users logged in already.

The scenario is:

  1. I have configured Cognito with Salesforce as my identity provider via Open ID Connect.
  2. I managed to perform the auth flow correctly and I end with a code that I can exchange for an id_token, access_token and a refresh_token from cognito's /oauth2/token endpoint.
  3. Now the question is IF I can use the JWT tokens I got from cognito to query Salesforce API.

I can elaborate and provide sample configuration if needed. Thanks a lot for any help on this :)

jwtsalesforceamazon-cognitoopenid-connect


Solution 1:[1]

In OAuth, the data owner hosts an Authorization Server / token issuer alongside its APIs:

  • So Salesforce access tokens must be used to get Salesforce data
  • Similarly a client must use access tokens from your Cognito instance to get data from your own APIs

EMBEDDED TOKEN PATTERN

This is the design pattern you need, and it is explained in this Curity article. When Cognito federates to Salesforce, it will complete a code flow for the user and get Salesforce tokens.

It should then be possible to include the Salesforce access token as a claim in the Cognito access token. Your APIs can extract it later on, then forward it to Salesforce on behalf of the user.

COGNITO CAPABILITIES?

Unfortunately not all Authorization Servers have this level of extensibility, so I doubt that Cognito supports this, but it is worth investigating. It is not an uncommon requirement though, and Cognito does allow you to get Identity Pool tokens to represent user specific AWS resources in a similar way.

Solution 2:[2]

After some research, I think I found the way (not sure if it is the best, but it works).

This is the process:

  1. When creating the user pool, make sure you declare 2 custom attributes: access_token and refresh_token.
  2. Complete the setup process.
  3. In the attribute mapping section, map those custom attributes to the ones you want to extract from your Idp (in my case, access_token is the one I need)

So, it will look like this:

Cognito attribute mapping configuration

That attaches the Salesforce access_token to my JWT id_token :)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Gary Archer
Solution 2 dansmachina

Related Questions

iOS Swift UI Test tap alert button

How can I get subList of a List in Apex Salesforce?

How to assign the multiple users to a Custom object?(in Salesforce)

SFDX Authorize an Org failed to run

Google apps script: how to refresh data connector from Salesforce with a script?

Is there a way to retrieve Salesforce picklist values for record types using apex?

How can I filter Salesforce SObjects for mappable objects

Calling Apex method with multiple signatures from LWC

Salesforce OAuth User Agent Flow: obtain refresh token with

How to add more data an array of objects in a lightning component

Identity Server 4 certificate signed by External Certificate Authority

How do I select the right elements with querySelectorAll as I do by using the Chrome developers console?

How do I select the right elements with querySelectorAll as I do by using the Chrome developers console?

Create a dynamic SOQL Query using variable objects

Handling click/hover events with d3.js in Analytics Dashboard LWC