Description
How to authenticate Salesforce with JWT and OpenSSL. Useful for setting up CI/CD Pipelines for automating repetitive tasks.
Salesforce docs: Salesforce Developers
Create certificates and keys locally using OpenSSL
The first step is to create a self-signed certificate and private key the certificate will be used when we create a Connected App in Salesforce later in the process.
If your operating system is Windows, you have to install OpenSSL before you attempt these commands. In Linux, you don’t have to install anything. Just execute the commands.
The Process
In your terminal/command prompt, type the following commands. This creates the private key named ‘server.key’ and a file named ‘server.pass.key’ which can be deleted once the formed is generated.
openssl genpkey -des3 -algorithm RSA -pass pass:SomePassword -out server.pass.key -pkeyopt rsa_keygen_bits:2048
openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
Next, type the following command in the terminal/command prompt to generate the ‘server.csr’
Youll be asked to input some basic details about your organisation, when it prompts you for a password just press Enter
.
openssl req -new -key server.key -out server.csr
Now, type the following command in the terminal/command prompt to generate the ‘server.crt’
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
Create a Connected App to Authenticate Against
In this step, we will create a new Connected App for the CI/CD process to authorize using the certificate that we created earlier in the process.
- Log in to your Salesforce Org
- Navigate to
Setup
->Apps
->App Manager
- Click
New Connected App
- Connected App Name =
My New App Name
- Contact Email =
any@emailaddress.com
- Enable OAuth Settings =
true
- Callback URL =
http://localhost:1717/OauthRedirect
- Use digital signatures =
true
- Upload the server.crt file from your local machine
- Selected OAuth scopes:
Access and manage your data (api)
Perform requests on your behalf at any time (refresh_token, offline_access)
Provide access to your data via the Web (web)
- Connected App Name =
- Require Secret for Web Server Flow =
true
- Click the
Manage
button on the connected app, set the following and save.- Permitted Users:
Admin-approved users are pre-authorized
- Permitted Users:
- After saving the permitted users, scroll down to the
Profiles
related list and click theManage Profiles
button. - Add the
System Administrator
profile or equivalent profile that your user is setup with.
Test the setup has worked on your local machine
Run the below command with the variables replaced on your local machine to test if the setup has worked or not. Once successfully we are ready to use this in a CI/CD pipeline.
sfdx force:auth:jwt:grant --clientid <Consumer Key from connected app> --jwtkeyfile <path to server.key> --username <UserName in profile authenticated above> --instanceurl <Salesforce login URL>