FAQ-001062 - JWT and Token Security / JWT Authentication Flow Design

To design and implement a secure JWT authentication flow for the AppExchange Security Review, follow these comprehensive guidelines: 1. **Use JWT Authentication with Connected App**: Implement JWT authentication through a connected app to avoid using session IDs. Include a connected app with JWT authentication in your package. 2. **Secure Storage of Private Keys**: Store private keys securely using protected custom settings or protected custom metadata. Never expose them in code, configuration files, or unprotected locations. 3. **Self-Signed Keys**: Self-signed keys are acceptable for generating JWTs and should be securely generated and managed. 4. **OAuth Flow for Subscribers**: Ensure each subscriber completes the OAuth flow to provide consent for data access. Tokens should not be created without user consent. 5. **Restrict Permissions**: Use the principle of least privilege when defining OAuth scopes, requesting only necessary permissions. 6. **Validation**: Validate the JWT or signature along with identifiers (e.g., UUID) to authenticate users and ensure request legitimacy. 7. **Avoid Storing Sensitive Data in Logs**: Don't log sensitive information like cryptographic secrets, API credentials, passwords, or JWTs in debug logs. 8. **Enforce HTTPS**: Ensure all API connections use HTTPS and meet SSL configuration requirements. 9. **Validate Endpoints**: Restrict remote site settings or HTTP endpoints to prevent arbitrary server connections. Use fixed endpoints or justify variable endpoints with a business case. 10. **Documentation**: Include detailed documentation of the authentication flow, covering JWT generation, storage, validation, and clear instructions for setting up connected apps, generating consumer keys and secrets, and assigning appropriate scopes. 11. **Test Thoroughly**: Conduct end-to-end testing to identify and fix vulnerabilities before submission. 12. **Security Measures**: Implement all necessary security measures including encryption and secure key management to protect the authentication flow. These steps ensure your authentication flow meets AppExchange Security Review requirements and follows security best practices.

The original content was comprehensive but needed minor refinements for clarity and tone consistency with brand guidelines. Changes made: (1) Simplified 'Do not log' to 'Don't log' for more conversational tone. (2) Clarified 'protected metadata' to 'protected custom metadata' for technical precision. All security rules selected are highly relevant: ApexBadCrypto relates to JWT cryptographic operations mentioned in points 3 and 12 about secure key generation and encryption. ApexInsecureEndpoint and ApexSuggestUsingNamedCred relate to point 8 about HTTPS enforcement and secure endpoint configuration. The hardcoded credentials rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInHttpHeader) directly relate to point 2 about secure private key storage and point 7 about not logging sensitive data. Remote site setting rules (AvoidInsecureHttpRemoteSiteSetting, AvoidDisableProtocolSecurityRemoteSiteSetting) relate to point 9 about validating endpoints and HTTPS enforcement. Connected app rules (LimitConnectedAppScope, UseHttpsCallbackUrlConnectedApp) directly relate to points 1, 4, and 5 about OAuth scopes and connected app configuration. ProtectSensitiveData relates to points 2 and 7 about protecting cryptographic secrets and avoiding sensitive data in logs.