Salesforce OAuth: JWT Bearer flow for Server-to-Salesforce Integration

The Salesforce JWT Bearer Token Flow is a secure and efficient way to authorize servers to access data in Salesforce without requiring manual user intervention for each request. It’s commonly used in scenarios where automated or background processes need to interact with Salesforce APIs securely.

Instead of relying on a client secret or user credentials, the JWT Bearer Flow uses a certificate to sign the JWT request. This certificate is associated with the client application and is used to verify the authenticity of the JWT.

Unlike some other OAuth 2.0 flows, such as the Authorization Code Flow, the JWT Bearer Flow doesn’t require explicit user interaction. Once the server has been authorized and the JWT is signed with the appropriate certificate, it can make requests to access data without further user intervention. Before an application can use the JWT Bearer Flow, it needs to be approved and configured in Salesforce.

Here’s a detailed explanation of how it works:

1. Create a Self-Signed Certificate

· Download OpenSSL, install it on your system, and set the environment variable PATH to include C:\Program Files\OpenSSL-Win64\bin
· Open a terminal and Run the following commands

***** To generate a private key ********
openssl genpkey -out private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
openssl genrsa -out private.key 2048

***** To create a Certificate Signing Request (CSR) ********
openssl req -new -key private.key -out csr.pem

***** To generate a Self-Signed Certificate **********
openssl x509 -req -days 365 -in csr.pem -signkey private.key -out certificate.crt

After following these steps, you will have a self-signed certificate (certificate.crt) and its corresponding private key (private.key).

2. Create a Connected App and configure it with the Certificate

· Log in to Salesforce using administrator credentials
· Navigate to Setup and select App Manager (enter “App Manager” in the quick find box)
· Click the button “New Connected App”

. Enter the App Name and Email address
. Under the API section check “Enable OAuth Settings” and enter “https://login.salesforce.com/services/oauth2/success" as the Callback URL. This URL will be used later in this process.
. Check the “Use Digital Signature” checkbox and select the certificate generated(certificate.crt) in the Spet 1.
. Select scopes “Manage user data via APIs (api)” and “Perform requests at any time (refresh_token, offline_access)” and save.

. Once saved, you’ll be redirected to the detail page. Click the “Manage Consumer Details” button and note down the Consumer Key(Client ID) and Consumer Secret(Client Secret).

3. Prior approval of the client app

. Copy the URL below and substitute your values for the Client Id and the Callback URL

https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=<CLIENTID>&redirect_uri=https://login.salesforce.com/services/oauth2/success

. Paste the modified URL into your browser, then authenticate as needed.
. Click Allow to authorize access. After successful authorization, the browser redirects you to the Callback URL.

4. Generate a JWT (JSON Web Token)

. Navigate to JWT.io, choose RS256 algorithm, and enter the below JSON payload(Replace) in the “PAYLOAD” section

{
"iss": "<CLIENT_ID>",
"aud": "https://login.salesforce.com",
"sub": "<USERNAME>",
"exp": <TIMESTAMP> (Use https://www.unixtimestamp.com/ generate the future timestamps in Unix time format)
}

. In the “VERIFY SIGNATURE” section, provide the private key and The JWT token will appear in the “Encoded” section.

5. Exchange JWT Tokens for Access Tokens

Create a POST API request to generate an access token using the JWT token as follows :

https://login.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<JWT_TOKEN>

Response:
{
    "access_token": "<ACCESS_TOKEN>",
    "scope": "api",
    "instance_url": "<INSTANCE_URL>",
    "id": "https://login.salesforce.com/id/<ORGID>/<USERID>",
    "token_type": "Bearer"
}

Thank you for taking the time to read this article. Your feedback is invaluable to me. If you found this post helpful, Please share your thoughts in the comments section below.

Resources:

1. https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_jwt_flow.htm&type=5
2. https://slproweb.com/products/Win32OpenSSL.html
3. https://learn.microsoft.com/en-us/azure/iot-hub/reference-x509-certificates
4. https://jwt.io/
5. https://www.unixtimestamp.com/