Setup Salesforce Auto-Deployments (JWT OAuth Flow)

1. Create a Public/Private Key Pair

To authenticate using JWT, you'll need an RSA key pair.

📍 Generate the Keys (using OpenSSL)

# Generate private key
openssl genrsa -out server.key 2048

# Generate public key from private key
openssl rsa -in server.key -pubout -out server.pub

server.key = Private key (used to sign JWT)
server.pub = Public key (uploaded to Salesforce)

Generate a Self-Signed X.509 Certificate

Use your existing private key to generate the certificate:

openssl req -new -x509 -key olympus-grid-alpha-1.key -out olympus-grid-alpha-1.crt -days 3650 -subj "//CN=AutomatedDeployment"

server.key: your private key
server.crt: your self-signed certificate (this is what you upload to Salesforce)
The -subj flag avoids prompts

2. Create the Connected App in Salesforce

Login to Salesforce Setup
- Go to Setup → App Manager → New Connected App
  - Note - We used the "Create a Connected App" in this example
Basic Information
- Connected App Name: e.g., Eos Automated Deployment JWT
- API Name: auto-filled
- Contact Email: your email
Enable OAuth Settings
- ☑️ Enable OAuth Settings
- Callback URL: http://localhost/callback (dummy for JWT)
Enable JWT Flow
- ☑️ Use digital signatures
- Upload the certificate (i.e., server.crt)
Selected OAuth Scopes:
- Full Access (full)
- Perform requests on your behalf at any time (refresh_token, offline_access)
- Add others as needed (e.g., Access and manage your data (api))
Save the App
- After saving, click Continue
- Save the Consumer Key for use in the JWT assertion

3. Configure the Connected App Policy

Set the OAuth Policies to "Admin approved users are pre-authorized"

3. Configure the Salesforce User

Ensure the user (usually a deployment service account) meets these criteria:

Has the correct Profile or Permission Set with API access to the connected app
Belongs to the same org where the Connected App was created
Username (e.g., [email protected]) must match the sub (subject) claim in the JWT

4. Use the sf cli to validate the jwt

sf org login jwt \
  --client-id {{CONSUMER_KEY}} \
  --jwt-key-file ./server.key \
  --username {{USERNAME}} \
  --instance-url https://{{instance}}.salesforce.com \
  --alias {{alias name}}

5. (Optional) Build the JWT Assertion Manually

A JWT assertion has the following structure:

📍 Header (Base64-encoded)

{
  "alg": "RS256",
  "typ": "JWT"
}

📍 Payload (Base64-encoded)

{
  "iss": "{{CONSUMER_KEY}}",
  "sub": "{{USERNAME}}",
  "aud": "https://{{instance}}.salesforce.com",  // Or test.salesforce.com for sandboxes
  "exp": <current time + 5 minutes in epoch seconds>
}

📍 Sign the JWT

Use the private key (server.key) to sign the JWT using RS256.

Set up a POST request

URL:

https://{{instance}}.salesforce.com/services/oauth2/token

Headers:

Content-Type: application/x-www-form-urlencoded

Body (x-www-form-urlencoded):

grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion: <your signed JWT>

Send the request

If successful, Salesforce will respond with:

{
  "access_token": "...",
  "instance_url": "https://{{instance}}.salesforce.com",
  "token_type": "Bearer",
  "issued_at": "...",
  "signature": "..."
}

✅ Success! You can now use the access_token to make authenticated API requests.

✅ Tips

Use libraries like jsonwebtoken (Node.js) or pyjwt (Python) to automate JWT creation and signing.
You can add multiple keys later under Connected App → Manage → Edit Policies → Use Digital Signatures.

PreviousSigning Git Commits with GPG NextOlympus-Grid Security

Last updated 8 months ago

hashtag1. Create a Public/Private Key Pair

hashtag2. Create the Connected App in Salesforce

hashtag3. Configure the Connected App Policy

hashtag3. Configure the Salesforce User

hashtag4. Use the sf cli to validate the jwt

hashtag5. (Optional) Build the JWT Assertion Manually

hashtag5. Test JWT Login with Postman

hashtag✅ Tips