Adding a Salesforce OAuth(Web Flow) connection

Traditional Salesforce connections in Provar are dependent on the username and password to make a connection which in turn is used to download Salesforce metadata, make API calls, and create and execute automated tests. Passwords are held independently by Provar projects and can be securely encrypted.

With our new Salesforce OAuth(Web Flow) Connection feature, Provar users can create a Salesforce connection using a connected app instead of a username and password; so the password is not shared and enhanced security can be implemented.

Using Connected Apps also benefits teams using Single-sign on (SSO) and/or Multi-factor authentication (MFA), including Salesforce verification codes, by avoiding the need to change their access levels to allow tests to be executed.

OAuth is an open-standard authorization protocol that provides a secure designated access. OAuth does not share the password data but instead authorizes an application to access data from a protected resource through the exchange of tokens. OAuth tokens are basically permissions given to a client application with restricted permissions.

Overall flow of creating a Salesforce OAuth(Web Flow) Connection

The following is a summary of the steps taken to create a new Salesforce OAuth(Web Flow) connection in Provar. 

1. Create a New Connected App in the Salesforce org with the required scopes and permissions.

Note: A Connected App is a prerequisite to create a Salesforce OAuth connection. If you haven’t created any Connected App earlier, please create a new Connected App in the Salesforce org first.

2. Edit the Connected App to set the field values.

3. Create a new Salesforce OAuth connection in Provar.

 3a. Use a Salesforce Web Flow authorization to generate the tokens needed to complete the Salesforce OAuth connection.

 3b. Test the Salesforce OAuth connection.

The detailed flow and steps are given in the following sections of this support article.

Step 1: Create a New Connected App.

Note: Each Connected App allows only five unique approvals per app, after the fifth approval is made, the oldest approval is revoked.

Create a new Connected App in the Salesforce org:

  • In Lightning Experience – In the Setup, enter App in the Quick Find box and select App Manager. Click New Connected App. For more information, please see Connected App.
  • In Salesforce Classic – In the Setup, enter Apps in the Quick Find box and select Apps. In Build > Create, under Connected Apps, click New.

The Consumer Key, Consumer Secret and Callback URL must be available for this org. For example, the screenshot given below shows we have created a Salesforce connected app named Provar_Connected_App.

Only users who have the access to Provar_Connected_App can authorize themselves and can generate tokens.

The Contact Email field is mandatory. Users must enter their contact email in this field; any login failures will be notified to this email address. Select Enable OAuth Settings checkbox to set Selected OAuth Scopes and the Callback URLThe Selected OAuth Scopes are mandatory in the Provar_Connected_App to connect and download the metadata.

Above: View of the fields in the Connected App.

The Consumer Key and Consumer Secret don’t appear until after the first time the connected app is saved. With the Consumer Key, the Consumer Secret, the Callback URL (The Callback URL is a standard Salesforce Callback URL which is supported but users can have their own customized Callback URL as well) and the Selected OAuth Scopes, we now have OAuth codes and basic information that we require. 

Note: In Salesforce, the Consumer Secret and Callback URL are revealed if the user wants to view these field values. In general, a Salesforce org can have any number of Callback URLs but the Callback URL that the user provides must be the one that they have in their connected app.

Salesforce has complete control when the Refresh Tokens are applied, if they are expired or not. Generally, they have a time limit after which the token expires. Provar will automatically request a new token when the current one expires. 

Note: One Connected App can be used by many Salesforce OAuth connections in Provar.

Step 2: Edit the Connected App settings to set the field values.

After we have created a connected app, we can make changes to its configuration. In Apps > Connected Apps > Manage Connected Apps, select your connected app and edit. A Connected App Edit screen is displayed, edit the connected app and set the fields in the OAuth policies as given below:

Note: There can be a 2-10 minute time delay before you can follow the steps given below.

  • Permitted Users – Provar users who can enable the Salesforce org.

a.) The Admin approved users are pre-authorized option – allows only users with the associated profile to access the app without first authorizing it.

b.) The All Users may self-authorize option – enables anyone in the org to authorize the app after successfully signing in.

In this example, we have selected Admin approved users are pre-authorized. This is the preferred way of connection. We want only pre-authorized users to run the app.

We can use profiles or permission sets to define pre-authorized users.

Note: Click Manage Profiles to select profiles to assign to the app from the Application Profile Assignment page. Assign profiles that you want to be able access the app.

In this example, we have created a permission set. To give permissions only to some users and not for the full profile, it is done through permission sets.


Above: View of the Profiles and Permission sets. 

For Permission set:

a) From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps. Click Provar_Connected_App.

b) Scroll to Permission Sets. Click Manage Permission Sets to select the permission sets to assign to the app from the Application Permission Set Assignment page. Assign permission sets that you want to be able to access to the app.

c) In the display list, you can see “Provar Connected App” permission set. We have created this new permission set. Select this “Provar Connected App” permission set.

d) Click Save.

Now, all users with “Provar Connected App” permission set are pre-authorized to use the Provar_Connected_App.

  • IP Relaxation –  In this example, we have selected Relax IP restrictions. This allows the maximum flexibility for running your tests from different server locations, cloud based environments or team members working from multiple locations.
  • Refresh Token Policy – Users can select the token refresh option as required. 
  • Timeout Value – This is a session policy. This timeout value is a session inactive time. In this example, we have generated an Access Token that is valid for 15 minutes of inactive time. After that it logs out or invalidates the previously generated sessions.

Above: Editing the Connected App settings. 

Note: Users can revoke the connected app’s access token or refresh token if they wish to immediately remove access to Salesforce.

Step 3: Create a new Salesforce OAuth Connection in Provar.

A Provar user can connect to a particular app and download the metadata by creating a new Salesforce OAuth connection. In the Test Settings, navigate to the Connections tab and click the plus (+) sign icon.

The Add New Connection screen is displayed. Give a Connection Name. For information about creating a Salesforce connection in Provar, you can refer to Creating a Salesforce connection

In the Connection Type field, select Salesforce then select Normal Salesforce Connection

Above: Selecting Salesforce OAuth(Web Flow) connection in Provar.

The connection options are displayed as given below:

  • Normal Log-in (with Username and Password).
  • Use ‘Log-on-as’ via an Admin Connection.
  • OAuth (Web Flow).
  • OAuth (JWT Flow).

Select OAuth(Web Flow).

Above: Salesforce OAuth connection created in Provar.

In the Basic Settings section, the Consumer Key and Consumer Secret values are populated from the Provar_Connected_App. The Consumer Key and Consumer Secret are already available in the Normal Log-in connection, in the Advanced Settings.

Step 3a: Use Salesforce Webflow Authorisation to generate the tokens.

Above: Salesforce Webflow Authorisation in Provar. 

In the Salesforce OAuth Connection feature, as we want to authenticate the user without a password, Webflow is used to generate the Access Token; and this token can be refreshed when required. 

Click Authorise.

When the user clicks on Authorise, a request is made to the Salesforce to communicate the Consumer Key, Consumer Secret and the Callback URL from the Salesforce org. And, Salesforce will generate the Access Token and Refresh Token. These tokens can be renewed and revoked.

A Salesforce Webflow Authorisation screen is displayed. To generate the Salesforce token, users will need the identification and will have to give the Salesforce credentials. Enter the Salesforce Username and Password. Click Login.

Note: Salesforce authenticates users and generates the tokens. These tokens are saved as Access Token and Refresh Token.

Above: View of the generated Access Token and Refresh Token. 

The Consumer Key, Consumer Secret and the Callback URL, Access Token and Refresh Token are automatically populated by Provar when the user provides the authorization. 

Note: The Consumer Key, Consumer Secret and the Callback URL fields are editable.

To provide the Callback URL:

       a) If it is a Production or a Development environment then please use the link login salesforce.

       b) If it is a Sandbox environment then please use the link test salesforce.

After authorization, if the user tries to change any data in the Consumer Key or Consumer Secret then the Access Token and Refresh Token are nullified and the user has to reauthorize.

The API Login URL and Identity Service URL fields are also automatically populated by Provar when the user provides the authorization. These fields are read-only and can be viewed in Advanced Settings.

Above: View of read-only fields in the Advanced Settings.

Note: The API Login URL and Identity Service URL fields are also available in the Normal Log-in connection in Advanced Settings.

Step 3b: Test the Salesforce OAuth Connection.

Click Test Connection to check the connection. When the connection is validated, click OK.

Above: Testing the Salesforce OAuth Connection in Provar. 

Note: If the Access Token or Refresh Token expires then the user can regenerate it. And, the Consumer Key, Consumer Secret and Callback URL are encrypted because these are saved in the Provar Secrets file.

Above: Salesforce OAuth connection is created and tested and can be used like any other Salesforce connection.

Only the method to create the Salesforce OAuth connection is different. The user can make use of this connection just like any other Salesforce connection. Also, there is no limitation on the number of OAuth connections that can be created and used. 

Above: View of the fields in the Salesforce Connect test step.

Note: In the Salesforce Connect test step, the four fields given below are not applicable for Salesforce OAuth connection. Even if the user gives these values, they will be nullified.

  • User Name override
  • Password override
  • Security override
  • Environment override
Review Provar on G2
Documentation library

Other available resources

Looking for something different?

We use cookies to better understand how our website is used so we can tailor content for you. For more information about the different cookies we use please take a look at our Privacy Policy.

Scroll to Top