Skip to content

feat: added JWT validation logic @W-20036916@ #1258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jfeingold35 wants to merge 11 commits into
base: main
Choose a base branch
from
Open

feat: added JWT validation logic @W-20036916@ #1258

jfeingold35 wants to merge 11 commits into from
+246 −135

Conversation

@jfeingold35
Copy link
Contributor

@jfeingold35 jfeingold35 commented Jan 16, 2026

What does this PR do?

In addition to opaque tokens, certain APIs now accept JWT-style tokens. This adds the logic for validating the format of such a token.

What issues does this PR fix or reference?

@W-20036916@

@jfeingold35 jfeingold35 marked this pull request as ready for review January 16, 2026 20:29
@jfeingold35 jfeingold35 requested a review from a team as a code owner January 16, 2026 20:29
cristiand391
cristiand391 reviewed Jan 16, 2026
View reviewed changes
cristiand391
cristiand391 reviewed Jan 16, 2026
View reviewed changes
cristiand391
cristiand391 reviewed Jan 16, 2026
View reviewed changes
cristiand391
cristiand391 reviewed Jan 16, 2026
View reviewed changes
@jfeingold35 jfeingold35 mentioned this pull request Jan 16, 2026
Closed
@cristiand391
Copy link
Member

cristiand391 commented Jan 19, 2026
edited
Loading

QA notes:

setup:
yarn linked this branch into plugin-auth, then set SF_ACCESS_TOKEN to a real JWT issued from our devhub using my models connected app.

❌ allow sf org login access-token to support jwt tokens

still getting:

Error (SfError): The access token isn't in the correct format.
It should follow this pattern: "<org id>!<accesstoken>".

I figured it's due to the short-circuit of || here:

export const matchesAccessToken = (value: string): boolean =>
  matchesOpaqueAccessToken(value) || matchesJwtAccessToken(value);

so updated it to this to continue qa:

export const matchesAccessToken = (value: string): boolean => {
  if (matchesOpaqueAccessToken(value)) return true 
  if (matchesJwtAccessToken(value)) return true
  return false;
}

matchesJwtAccessToken returns true for a valid jwt
while debugging it I noticed it failed while validating keys from the 2nd segment (index 1) in code:

return isJsonWithValidKeys(segments[1], ['aud', 'exp', 'iss', 'mty', 'nbf', 'sfi', 'sub', 'scp'], true, [
    'acx',
    'client_id',
    'iat',
    'roles',
    'obo',
  ]);

@jfeingold35 based on these docs I think we could simplify the key validation by just ensuring the typ field is JWT, ignoring all other keys:

I think we could omit checking for all other keys since we aren't validating their values, so typ seems enough to tell it's a jwt.

cristiand391
cristiand391 previously approved these changes Jan 21, 2026
View reviewed changes
@cristiand391
Copy link
Member

cristiand391 commented Jan 21, 2026

QA update:

❌ allow sf org login access-token to support jwt tokens

✅ fixed, can auth via an opaque token or jwt via SF_ACCESS_TOKEN or pasting the token in prompt (interactive mode)

❌ matchesJwtAccessToken returns true for a valid jwt

✅ fixed

❌ logger doesn't redact jwt

so if I do SF_ACCESS_TOKEN=<opaque-token> and do sf org login access-token ... --dev-debug, in logs I see the opaque token is always redacted:
Screenshot 2026-01-21 at 11 06 09

but with SF_ACCESS_TOKEN=<jwt-based-access-token> I can see the non-encrypted token in logs

@cristiand391
Copy link
Member

cristiand391 commented Jan 22, 2026
edited
Loading

QA update:

❌ logger doesn't redact jwt

✅ jwt is partially redacted (limitation of how our logger works and jwt format)
Jamie pointed out I needed to link sfdx-core into the CLI too to get the env var section of the logs redacted,

code logging raw token:
Screenshot 2026-01-22 at 13 47 16

which is logged as:
Screenshot 2026-01-22 at 13 47 40

✅ also verified opaque tokens still get redacted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cristiand391 cristiand391 cristiand391 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jfeingold35 @cristiand391 @svc-cli-bot