- JSON Web Token (JWT) is created and signed with private key of an X509 certificate by client app
- Authorisation server checks signature against public key of certificate to verify authenticity of request
- Allowed scopes are based on approval previously provided by the user through another OAuth flow
- Additional claims can be included in the JWT to communicate extra user or context info to the auth. server
- For Salesforce to act as the authorisation & resource server, a connected app is needed. This flow is used in Salesforce DX CLI authorisation
- Salesforce can also act as the client, and an option is offered in Named Credentials to make callouts from Salesforce to an external server application using this flow
Documentation
Reference Implementations