Skip to content

Instantly share code, notes, and snippets.

@booleangate

booleangate/a-salesforce-oauth-2.0-jwt-bearer-token-flow-walk-through.md

Last active May 8, 2025 00:39
Show Gist options
  • Save booleangate/30d345ecf0617db0ea19c54c7a44d06f to your computer and use it in GitHub Desktop.
Save booleangate/30d345ecf0617db0ea19c54c7a44d06f to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. booleangate revised this gist Feb 28, 2018. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions a-salesforce-oauth-2.0-jwt-bearer-token-flow-walk-through.md
    View file
    Original file line number Diff line number Diff line change
    @@ -11,8 +11,7 @@ Create an RSA x509 private key/certification pair
    openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 -keyout salesforce.key -out salesforce.crt
    ```

    The private key (.key) will be used to sign the JWT claim generated by your code. The certificate will be uploaded to
    Salesforce so that it can validate your signed JWT assertion.
    The private key (.key) will be used to sign the JWT claim generated by your code. The certificate (.crt) will be uploaded to Salesforce to validate your signed JWT assertions.

    ## Salesforce Application creation

  2. booleangate revised this gist Feb 28, 2018. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions example.py
    View file
    Original file line number Diff line number Diff line change
    @@ -13,7 +13,6 @@
    # *******************************************************

    DOMAIN = 'test' if IS_SANDBOX else 'login'
    AUDIENCE = 'https://{}.salesforce.com'.format(DOMAIN)

    print('Loading private key...')
    with open(KEY_FILE) as fd:
    @@ -23,7 +22,7 @@
    claim = {
    'iss': ISSUER,
    'exp': int(time.time()) + 300,
    'aud': AUDIENCE,
    'aud': 'https://{}.salesforce.com'.format(DOMAIN),
    'sub': SUBJECT,
    }
    assertion = jwt.encode(claim, private_key, algorithm='RS256', headers={'alg':'RS256'}).decode('utf8')
  3. booleangate revised this gist Feb 28, 2018. No changes.
  4. booleangate revised this gist Feb 28, 2018. 1 changed file with 10 additions and 6 deletions.
    16 changes: 10 additions & 6 deletions example.py
    View file
    Original file line number Diff line number Diff line change
    @@ -5,30 +5,34 @@
    import time
    import requests

    # *** Update these values to match your configuration ***
    IS_SANDBOX = True
    KEY_FILE = 'salesforce.key'
    CLIENT_ID = '3MVG9Vik22TUgUphbgbEe0kXRZGFxDJ7TKOkiLJgixzNy4ssgvIpYsaVBBeU1ueKcAQA7hf4_sj.hQHnD1Nsl'
    AUDIENCE = 'https://test.salesforce.com' # or 'https://test.salesforce.com' if you're using the sandbox
    ISSUER = 'the consumer key from your application'
    SUBJECT = '[email protected]'
    # *******************************************************

    print('Loading private key...')
    DOMAIN = 'test' if IS_SANDBOX else 'login'
    AUDIENCE = 'https://{}.salesforce.com'.format(DOMAIN)

    print('Loading private key...')
    with open(KEY_FILE) as fd:
    private_key = fd.read()

    print('Generating signed JWT assertion...')
    claim = {
    'iss': CLIENT_ID,
    'iss': ISSUER,
    'exp': int(time.time()) + 300,
    'aud': AUDIENCE,
    'sub': SUBJECT,
    }
    assertion = jwt.encode(claim, private_key, algorithm='RS256', headers={'alg':'RS256'}).decode('utf8')

    print('Making OAuth request...')
    r = requests.post('https://test.salesforce.com/services/oauth2/token', data = {
    r = requests.post('https://{}.salesforce.com/services/oauth2/token'.format(DOMAIN), data = {
    'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
    'assertion': assertion,
    })

    print('Status:', r.status_code)
    print(r.json())
    print(r.json())
  5. booleangate revised this gist Feb 28, 2018. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions a-salesforce-oauth-2.0-jwt-bearer-token-flow-walk-through.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,6 +1,6 @@
    # Salesforce OAuth 2.0 JWT Bearer Token Flow Walk-Through

    This document will walk you through how to create or configure a Salesforce application for use with JWT authentication.
    This document will walk you through how to create or configure a Salesforce application for use with JWT authentication. These configuration steps and the example code works as of Salesforce API version 42.0.


    ## Prerequisites
    @@ -23,8 +23,8 @@ Salesforce so that it can validate your signed JWT assertion.
    1. In the _Basic Information_ section, populate the required fields. The values are for book keeping only and are not part of using the API.
    1. In the _API (Enable OAuth Settings)_ section:
    1. Check _Enable OAuth Settings_
    1. _Callback URL_ is unused in the JWT flow but a value is a required field. Use "http://localhost/" or some other dummy host.
    1. Check _Use digital signatures_. Update _salesforce.crt_ that was generated earlier.
    1. _Callback URL_ is unused in the JWT flow but a value is required nonetheless. Use "http://localhost/" or some other dummy host.
    1. Check _Use digital signatures_. Upload the _salesforce.crt_ that was generated earlier.
    1. For _Selected OAuth Scopes_, add _Access and manage your data (api)_ and _Perform requests on your behalf at any time (refresh_token, offline_access)_
    1. Click _Save_. If there are any errors, you have to re-upload _salesforce.crt_.
    1. On the resulting app page, click _Manage_.
  6. booleangate revised this gist Feb 28, 2018. 1 changed file with 18 additions and 18 deletions.
    36 changes: 18 additions & 18 deletions a-salesforce-oauth-2.0-jwt-bearer-token-flow-walk-through.md
    View file
    Original file line number Diff line number Diff line change
    @@ -19,20 +19,20 @@ Salesforce so that it can validate your signed JWT assertion.
    1. Login to salesforce.
    1. Go to setup area (gear in the nav in the top right)
    1. In the side nav, go to _Apps_ > _App Manager_
    1. Click _New Connect App_
    1. In the _Basic Information_ section, populate the required fields. The values are for book keeping only and are not part of using the API.
    1. In the _API (Enable OAuth Settings)_ section:
    1. Check _Enable OAuth Settings_
    1. _Callback URL_ is unused in the JWT flow but a value is a required field. Use "http://localhost/" or some other dummy host.
    1. Check _Use digital signatures_. Update _salesforce.crt_ that was generated earlier.
    1. For _Selected OAuth Scopes_, add _Access and manage your data (api)_ and _Perform requests on your behalf at any time (refresh_token, offline_access)_
    1. Click _Save_. If there are any errors, you have to re-upload _salesforce.crt_.
    1. Click _New Connect App_
    1. In the _Basic Information_ section, populate the required fields. The values are for book keeping only and are not part of using the API.
    1. In the _API (Enable OAuth Settings)_ section:
    1. Check _Enable OAuth Settings_
    1. _Callback URL_ is unused in the JWT flow but a value is a required field. Use "http://localhost/" or some other dummy host.
    1. Check _Use digital signatures_. Update _salesforce.crt_ that was generated earlier.
    1. For _Selected OAuth Scopes_, add _Access and manage your data (api)_ and _Perform requests on your behalf at any time (refresh_token, offline_access)_
    1. Click _Save_. If there are any errors, you have to re-upload _salesforce.crt_.
    1. On the resulting app page, click _Manage_.
    1. Click _Edit Policies_.
    1. In the _OAuth policies_ section, change _Permitted Users_ to _Admin approved users are pre-authorized_.
    1. Click _Save_.
    1. Click _Edit Policies_.
    1. In the _OAuth policies_ section, change _Permitted Users_ to _Admin approved users are pre-authorized_.
    1. Click _Save_.
    1. Back on the app page again, in the _Profiles_ section, click _Manage Profiles_.
    1. On the _Application Profile Assignment_ page, assign the user profiles that will have access to this app.
    1. On the _Application Profile Assignment_ page, assign the user profiles that will have access to this app.


    ## OAuth Access Configuration
    @@ -41,12 +41,12 @@ To use the API, the RSA private key and the _Consumer Key_ (aka client ID) from

    1. The private key is the key that was generated in the _Prequisite_ section above.
    1. To get the Salesforce application _Consumer Key_, do the following
    1. Login to salesforce.
    1. Go to setup area (gear in the nav in the top right)
    1. In the side nav, go to _Apps_ > _App Manager_
    1. In the list, find the application that you created in the _App Creation_ section above
    1. From the drop down in the application's row, click _View_
    1. The _Consumer Key_ is in the _API (Enable OAuth Settings)_ section.
    1. Login to salesforce.
    1. Go to setup area (gear in the nav in the top right)
    1. In the side nav, go to _Apps_ > _App Manager_
    1. In the list, find the application that you created in the _App Creation_ section above
    1. From the drop down in the application's row, click _View_
    1. The _Consumer Key_ is in the _API (Enable OAuth Settings)_ section.

    ## Parting Tips
    - To see successful OAuth logins, see the _Session Management_ page.
  7. booleangate renamed this gist Feb 28, 2018. 1 changed file with 0 additions and 0 deletions.
    0 ...2.0 jwt bearer token flow walk-through.md → ...2.0-jwt-bearer-token-flow-walk-through.md
    View file
    File renamed without changes.
  8. booleangate renamed this gist Feb 28, 2018. 1 changed file with 0 additions and 0 deletions.
    0 salesforce-jwt-walk-through.md → ...2.0 jwt bearer token flow walk-through.md
    View file
    File renamed without changes.
  9. booleangate created this gist Feb 28, 2018.
    34 changes: 34 additions & 0 deletions example.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,34 @@
    # pip install jwt cryptography requests

    from datetime import datetime
    import jwt
    import time
    import requests

    KEY_FILE = 'salesforce.key'
    CLIENT_ID = '3MVG9Vik22TUgUphbgbEe0kXRZGFxDJ7TKOkiLJgixzNy4ssgvIpYsaVBBeU1ueKcAQA7hf4_sj.hQHnD1Nsl'
    AUDIENCE = 'https://test.salesforce.com' # or 'https://test.salesforce.com' if you're using the sandbox
    SUBJECT = '[email protected]'

    print('Loading private key...')

    with open(KEY_FILE) as fd:
    private_key = fd.read()

    print('Generating signed JWT assertion...')
    claim = {
    'iss': CLIENT_ID,
    'exp': int(time.time()) + 300,
    'aud': AUDIENCE,
    'sub': SUBJECT,
    }
    assertion = jwt.encode(claim, private_key, algorithm='RS256', headers={'alg':'RS256'}).decode('utf8')

    print('Making OAuth request...')
    r = requests.post('https://test.salesforce.com/services/oauth2/token', data = {
    'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
    'assertion': assertion,
    })

    print('Status:', r.status_code)
    print(r.json())
    54 changes: 54 additions & 0 deletions salesforce-jwt-walk-through.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,54 @@
    # Salesforce OAuth 2.0 JWT Bearer Token Flow Walk-Through

    This document will walk you through how to create or configure a Salesforce application for use with JWT authentication.


    ## Prerequisites

    Create an RSA x509 private key/certification pair

    ```
    openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 -keyout salesforce.key -out salesforce.crt
    ```

    The private key (.key) will be used to sign the JWT claim generated by your code. The certificate will be uploaded to
    Salesforce so that it can validate your signed JWT assertion.

    ## Salesforce Application creation

    1. Login to salesforce.
    1. Go to setup area (gear in the nav in the top right)
    1. In the side nav, go to _Apps_ > _App Manager_
    1. Click _New Connect App_
    1. In the _Basic Information_ section, populate the required fields. The values are for book keeping only and are not part of using the API.
    1. In the _API (Enable OAuth Settings)_ section:
    1. Check _Enable OAuth Settings_
    1. _Callback URL_ is unused in the JWT flow but a value is a required field. Use "http://localhost/" or some other dummy host.
    1. Check _Use digital signatures_. Update _salesforce.crt_ that was generated earlier.
    1. For _Selected OAuth Scopes_, add _Access and manage your data (api)_ and _Perform requests on your behalf at any time (refresh_token, offline_access)_
    1. Click _Save_. If there are any errors, you have to re-upload _salesforce.crt_.
    1. On the resulting app page, click _Manage_.
    1. Click _Edit Policies_.
    1. In the _OAuth policies_ section, change _Permitted Users_ to _Admin approved users are pre-authorized_.
    1. Click _Save_.
    1. Back on the app page again, in the _Profiles_ section, click _Manage Profiles_.
    1. On the _Application Profile Assignment_ page, assign the user profiles that will have access to this app.


    ## OAuth Access Configuration

    To use the API, the RSA private key and the _Consumer Key_ (aka client ID) from the Salesforce application are needed.

    1. The private key is the key that was generated in the _Prequisite_ section above.
    1. To get the Salesforce application _Consumer Key_, do the following
    1. Login to salesforce.
    1. Go to setup area (gear in the nav in the top right)
    1. In the side nav, go to _Apps_ > _App Manager_
    1. In the list, find the application that you created in the _App Creation_ section above
    1. From the drop down in the application's row, click _View_
    1. The _Consumer Key_ is in the _API (Enable OAuth Settings)_ section.

    ## Parting Tips
    - To see successful OAuth logins, see the _Session Management_ page.
    - Help: https://salesforce.stackexchange.com/questions/207685
    - For more info including a poorly done Java example, see https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5