Setup Salesforce Auto-Deployments (JWT OAuth Flow)

1. Create a Public/Private Key Pair

To authenticate using JWT, you'll need an RSA key pair.

📍 Generate the Keys (using OpenSSL)

# Generate private key
openssl genrsa -out server.key 2048

# Generate public key from private key
openssl rsa -in server.key -pubout -out server.pub

  • server.key = Private key (used to sign JWT)

  • server.pub = Public key (uploaded to Salesforce)

  1. Generate a Self-Signed X.509 Certificate

Use your existing private key to generate the certificate:

openssl req -new -x509 -key olympus-grid-alpha-1.key -out olympus-grid-alpha-1.crt -days 3650 -subj "//CN=AutomatedDeployment"

  • server.key: your private key

  • server.crt: your self-signed certificate (this is what you upload to Salesforce)

  • The -subj flag avoids prompts

2. Create the Connected App in Salesforce

  1. Login to Salesforce Setup

    • Go to Setup → App Manager → New Connected App

      • Note - We used the "Create a Connected App" in this example

  2. Basic Information

    • Connected App Name: e.g., Eos Automated Deployment JWT

    • API Name: auto-filled

    • Contact Email: your email

  3. Enable OAuth Settings

    • ☑️ Enable OAuth Settings

    • Callback URL: http://localhost/callback (dummy for JWT)

  4. Enable JWT Flow

    • ☑️ Use digital signatures

    • Upload the certificate (i.e., server.crt)

  5. Selected OAuth Scopes:

    • Full Access (full)

    • Perform requests on your behalf at any time (refresh_token, offline_access)

    • Add others as needed (e.g., Access and manage your data (api))

  6. Save the App

    • After saving, click Continue

    • Save the Consumer Key for use in the JWT assertion

3. Configure the Connected App Policy

  • Set the OAuth Policies to "Admin approved users are pre-authorized"

3. Configure the Salesforce User

Ensure the user (usually a deployment service account) meets these criteria:

  • Has the correct Profile or Permission Set with API access to the connected app

  • Belongs to the same org where the Connected App was created

  • Username (e.g., [email protected]) must match the sub (subject) claim in the JWT

4. Use the sf cli to validate the jwt

sf org login jwt \
  --client-id {{CONSUMER_KEY}} \
  --jwt-key-file ./server.key \
  --username {{USERNAME}} \
  --instance-url https://{{instance}}.salesforce.com \
  --alias {{alias name}}

5. (Optional) Build the JWT Assertion Manually

A JWT assertion has the following structure:

📍 Header (Base64-encoded)

{
  "alg": "RS256",
  "typ": "JWT"
}

📍 Payload (Base64-encoded)

{
  "iss": "{{CONSUMER_KEY}}",
  "sub": "{{USERNAME}}",
  "aud": "https://{{instance}}.salesforce.com",  // Or test.salesforce.com for sandboxes
  "exp": <current time + 5 minutes in epoch seconds>
}

📍 Sign the JWT

Use the private key (server.key) to sign the JWT using RS256.

5. Test JWT Login with Postman

  1. Set up a POST request

    URL:

    https://{{instance}}.salesforce.com/services/oauth2/token

    Headers:

    Content-Type: application/x-www-form-urlencoded

    Body (x-www-form-urlencoded):

    grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion: <your signed JWT>

  2. Send the request

    If successful, Salesforce will respond with:

    {
  "access_token": "...",
  "instance_url": "https://{{instance}}.salesforce.com",
  "token_type": "Bearer",
  "issued_at": "...",
  "signature": "..."
}

    Success! You can now use the access_token to make authenticated API requests.

✅ Tips

  • Use libraries like jsonwebtoken (Node.js) or pyjwt (Python) to automate JWT creation and signing.

  • You can add multiple keys later under Connected App → Manage → Edit Policies → Use Digital Signatures.

PreviousSigning Git Commits with GPGNextOlympus-Grid Security

Last updated