Adding a Salesforce OAuth(JWT Flow) connection

For server to server integration you may not want to rely on specific user credentials or OAuth access via Web flow in case the user account used is deactivated, locked out or frozen in the future. For cases like these, you can use the OAuth 2.0 JSON Web Token (JWT) bearer flow. This flow uses a certificate to sign the JWT request and doesn’t need explicit user interaction. However, this flow requires prior approval of the Connected App.

Salesforce has introduced some ways to authorize  this request via various certificates. Provar now supports two types of certificates for OAuth (JWT Flow) –  Java Key Store (JKS) and Private Key

Pre-requisites:

A Connected App is a prerequisite to create a Salesforce OAuth (JWT Flow) connection. If you haven’t created any Connected App earlier, please create a new Connected App in the Salesforce org first. For more information on creating a Connected App, please refer to Creating Connected App.

The OAuth (JWT Flow) requires prior approval of the Connected App. A prior approval of the Connected App can be done in one of the ways mentioned below:

  • If your Connected App policy is set to Admin approved users are pre-authorized, you can use profiles and permission sets to determine which user records can be used via the Connected App permission.
  • If your Connected App policy is set to All users may self-authorize, you can use any user account with end-user approval and issuance of a refresh token. However, the client isn’t required to have a current or stored refresh token. The client also isn’t required to pass a client secret to the token endpoint.

Note:  Provar as on date supports the Admin approved users are pre-authorized.

To connect with a particular Connected App, the user needs to provide a certificate. While creating a Connected App, in the API section-

  • Select the Enable OAuth Settings checkbox.
  • In the Use digital signatures field, the user needs to upload a certificate that they have created and it will be linked to this connected app that the user will create. 

Steps to add a OAuth (JWT Flow) connection in Provar

In the Add New Connection screen –

    • In the Connection Name field, enter the name of the connection.
    • In the Description field, enter the description for the connection.
    • In the Connection Type field, select Salesforce and Normal Salesforce connection. Select OAuth (JWT Flow).
    • In the Encryption Option field, select any one option:
      • Option 1: Java Key Store (JKS)
      • Option 2: Private Key 

Note: In your Salesforce org, create a certificate in the Certificate and Key Management section for the JKS or Private Key.

There are three options to create a certificate:

A) Create Self-Signed Certificate – With this option, the user can simply create this certificate. Mostly, the users  create the certificate by using this option. This involves encryption and decryption at user level only.

Note: Most users will use the Create Self-Signed Certificate option to create the certificate. 

Click Create Self-Signed Certificate. A Certificate and Key Edit screen is displayed. 

In the Label field, enter the name.

In the Unique Name field, enter the unique name.

Click Save.

Similarly, you can create a few certificates.

B) Create CA-Signed Certificate – With this option, the user can simply create this certificate and then send this to a 3rd party certificate authority and they will encrypt that certificate on behalf of the user but for that they will charge some amount. 

C) Export to Key Store – If you are using this option, this is the Java Key Store  field in Provar. This is the standard way of handling the certificate. If the user clicks Export to Key Store, then all the certificates are combined in a single file and that single file exported and downloaded to the user’s system.

Click Export to Key Store. 

In the Key Store Password field, enter the password.

Click Export

The file is exported as a (.jks) file and this (.jks) holds the certificates of the user.

Option 1: Creating a OAuth (JWT) connection with Java Key Store (JKS)

  • In the Encryption Option field, select Java Key store (JKS)
  • In the Consumer Key field, enter the consumer key. Just copy the Consumer Key that corresponds to the Connected App and paste it in this field.

Note: The Consumer Key is required here because the users will connect with Salesforce via this Connected App only. For more information on Consumer Key, please refer to consumer key

  • In the Key Store field, upload the key store file that has an extension as (.jks). Click Browse and upload the file.
  • In the Certificate Name field, enter the certificate name that corresponds to that connected app.
  • In the Key Store Password field, enter the key store password which you provided when you downloaded the (.jks) file.
  • In the Username field, enter the username with which you logged in Salesforce.
  • Click Authorise
  • When the user clicks Authorise, then at the back-end Provar will create a JWT Token and will send it to Salesforce and Salesforce will send back the Access Token details to Provar.
  • In the Access Token field, the Access Token details received from Salesforce are automatically populated.

Note: If the user tries to Authorise again and if any detail is incorrect or incomplete , an error message will be displayed.

  • Click Test Connection to check if the connection is successful and click OK.

Option 2: Creating a OAuth (JWT) connection with a Private Key 

OAuth is an open-standard authorization protocol that provides a secure designated access. OAuth does not share the password data but instead authorizes an application to access data from a protected resource through the exchange of tokens. OAuth tokens are basically permissions given to a client application with restricted permissions.

  • In the Encryption Option field, select Private Key
  • In the Consumer Key field, enter the consumer key. Just copy the consumer key that corresponds to the Connected App and paste it in this field.
  • In the Private Key field, upload the private key file. Click Browse. If the Private Key option is selected, then only (.key) files are highlighted. Select the (.key) extension file. Click Open.
  • In the Username field, enter the username with which you logged in Salesforce.
  • In the Environment field, select Production/Developer Edition.
  • Click Authorise
  • When the user clicks Authorise, then at the back-end Provar will create a JWT Token and will send it to Salesforce and Salesforce will send back the Access Token details to Provar.
  • In the Access Token field, the Access Token details received from Salesforce are automatically populated.

Note: If the user tries to Authorise again and if any detail is incorrect or incomplete , an error message will be displayed.

  • Click Test Connection to check if the connection is successful and click OK.
Review Provar on G2
Documentation library

Other available resources

Looking for something different?

We use cookies to better understand how our website is used so we can tailor content for you. For more information about the different cookies we use please take a look at our Privacy Policy.

Scroll to Top