Https://login.salesforce.com/id/keys is returning random results

544    Asked by Dhruvtiwari in AWS , Asked on Jul 12, 2021

I build a third-party application that integrates with Salesforce using the REST API (connected app). We hit /services/oauth2/token to get a token for the user, then we verify the token using the associated RSA key from https://login.salesforce.com/id/keys. Here's the problem. In the past two months, we've started to get intermittent failures. You'll notice if you go to https://login.salesforce.com/id/keys and then refresh the page a couple times, you get random responses. You can tell by looking at the "kid" fields in the JSON. Often "kid": "222" is not present, for instance. Is this expected from this endpoint? I would assume not seeing as we only started getting errors from this in the past two months when we've had this integration for a couple years. I've also noticed that hitting the /id/keys endpoint from an org-specific domain like https://na49.lightning.force.com/id/keys always returns a consistent result, but never includes "kid": "228" like https://login.salesforce.com/id/keys sometimes does. So is it safe to use the org-specific domain since it's consistent? Or does my server need to handle the inconsistency in order to support "kid": "228"?

Answered by Donna Chapman

There's a chain of custody you have to follow when retrieving the public key or while https www. salesforce com login: the iss (Issuer) of the id_token you're trying to verify determines the location of the keys. By default, the issuer will be login.salesforce.com for a production org but (for example) a community hosted in the same org will have a different issuer. If the id_token issued by SF does not have a corresponding public key in the JSON Web Key Set (JWKS), then you can't validate the signature on the token and therefore cannot rely on this token. (Correspondence is established via kid). As far as your client acting in the capacity of OpenID Connect Relying Party is concerned, when token validation fails, not using this token is your only app-level, programmatic recourse. You could complain to Salesforce that you can't validate id_token due to a missing key while https www salesforce com login. We haven't seen such a scenario but if you have evidence of this, please let Salesforce know by opening a support case.



Your Answer

Interviews

Parent Categories