# Salesforce OAuth 2.0 JWT Bearer Token Flow Walk-Through

This document will walk you through how to create or configure a Salesforce application for use with JWT authentication.  These configuration steps and the example code works as of Salesforce API version 42.0.


## Prerequisites

Create an RSA x509 private key/certification pair

```
openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 -keyout salesforce.key -out salesforce.crt
```

The private key (.key) will be used to sign the JWT claim generated by your code.  The certificate will be uploaded to
Salesforce so that it can validate your signed JWT assertion.

## Salesforce Application creation

1. Login to salesforce.
1. Go to setup area (gear in the nav in the top right)
1. In the side nav, go to _Apps_ > _App Manager_
   1. Click _New Connect App_
   1. In the _Basic Information_ section, populate the required fields.  The values are for book keeping only and are not part of using the API.
   1. In the _API (Enable OAuth Settings)_ section:
      1. Check _Enable OAuth Settings_
      1. _Callback URL_ is unused in the JWT flow but a value is required nonetheless.  Use "http://localhost/" or some other dummy host.
      1. Check _Use digital signatures_.  Upload the _salesforce.crt_ that was generated earlier.
      1. For _Selected OAuth Scopes_, add _Access and manage your data (api)_ and _Perform requests on your behalf at any time (refresh_token, offline_access)_
   1. Click _Save_.  If there are any errors, you have to re-upload _salesforce.crt_.
1. On the resulting app page, click _Manage_.
   1. Click _Edit Policies_.
   1. In the _OAuth policies_ section, change _Permitted Users_ to _Admin approved users are pre-authorized_.
   1. Click _Save_.
1. Back on the app page again, in the _Profiles_ section, click _Manage Profiles_.
   1. On the _Application Profile Assignment_ page, assign the user profiles that will have access to this app.


## OAuth Access Configuration

To use the API, the RSA private key and the _Consumer Key_ (aka client ID) from the Salesforce application are needed.

1. The private key is the key that was generated in the _Prequisite_ section above.
1. To get the Salesforce application _Consumer Key_, do the following
   1. Login to salesforce.
   1. Go to setup area (gear in the nav in the top right)
   1. In the side nav, go to _Apps_ > _App Manager_
   1. In the list, find the application that you created in the _App Creation_ section above
   1. From the drop down in the application's row, click _View_
   1. The _Consumer Key_ is in the _API (Enable OAuth Settings)_ section.

## Parting Tips
- To see successful OAuth logins, see the _Session Management_ page.
- Help: https://salesforce.stackexchange.com/questions/207685
- For more info including a poorly done Java example, see https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5