Salesforce header error

Question

Salesforce header error

Closed this issue 4 years ago · 2 comments

Salesforce returns the following error:
Your JWE header is missing one or more parameters. Required: alg, enc, kid, jti. Found: alg, enc, kid.

What is the 'jti' parameter? 😕

Answer 1 · 2020-08-09T17:02:56.000Z

The jti value is related to Salesforce's replay detection:

Enable Replay Detection for Cache-Only Keys

Replay Detection protects your Cache-Only Key Service from replay attacks
by embedding a nonce in callouts. Before you turn on replay detection, 
make sure that your key service can accept this nonce and return the nonce in the JSON web token header.

Let's fetch the nonce from the requests and return it in the jwe header... 😄

Example request from Salesforce:

[09/Aug/2020:16:43:41 +0000] "GET /hyok-wrapper-kid?requestId=579654cdc718b0e82a09f23ccd23ea33 HTTP/1.1" 200 926 "-" "SFDC-Callout/49.0" "-"

Looks like requestId is the nonce? Update: confirmed, this is the nonce.

Answer 2 · 2020-08-10T19:26:42.000Z

Fixed in beaafcb