@mars/make-connected-app-jwt v0.2.1

Make Salesforce Connected App with JWT certificate auth

To automate testing & deployment of Salesforce customization & integrations, headless authentication is required. Salesforce does not provide simple API keys. Instead, Salesforce provides JWT-based headless auth to support continuous integration (CI).

This JavaScript module streamlines the process of setting-up a new Connected App for headless auth.

Requirements

• install Node.js v16+ for npx command
• sfdx auth:web:login to the target Salesforce org for the new Connected App
  • prerequisite: install sfdx CLI
  • the login username must have permissions to create a Connected App, such as a System Administrator
  • the login username should be set for SFDX_USERNAME variable in the following commands.
• openssl CLI which comes pre-installed on most Unix-like systems: macOS, Linux, & WSL.

Usage

1. Generate a self-signed certificate (public-private key pair)

mkdir salesforce-jwt-auth/ && cd salesforce-jwt-auth/

export PASS="$(openssl rand -hex 20)"
openssl genrsa -aes256 \
  -passout "pass:$PASS" \
  -out connected-app.pass.key \
  4096
openssl rsa -passin "pass:$PASS" \
  -in connected-app.pass.key \
  -out connected-app.key
rm connected-app.pass.key

# This next command will create the certificate identity;
# fill in sensible values, which will appear in the connected app in Salesforce;
# set the Common Name to "AdminJWTLogin" or to match the Label of the Connected App
# you'll create next.
openssl req -new \
  -key connected-app.key \
  -out connected-app.csr

openssl x509 -req -sha256 -days 365 \
  -in connected-app.csr \
  -signkey connected-app.key \
  -out connected-app.crt

cd -

2. Run make-connected-app-jwt

npx @mars/make-connected-app-jwt \
  --username $SALESFORCE_USERNAME \
  --label AdminJWTLogin \
  --email $CONTACT_EMAIL \
  --certificate-file salesforce-jwt-auth/connected-app.crt

The command should eventually output the new Connected App's metadata, including a consumerKey element.

3. Login to org via JWT grant

From here, to login to the org:

sfdx force:auth:jwt:grant \
  --clientid <consumerKey> \
  --jwtkeyfile salesforce-jwt-auth/connected-app.key \
  --username <admin username>

Replace:

• <consumerKey> with the element's value returned in the previous step
• <admin username> with a System Administrator username.

Development

Customization

🍴 Fork this repo to edit it as you wish.

The Connected App's properties, such as Permissions & Profiles, may be modified in templates/connectedApp-meta.xml.liquid.

Running locally

Clone this repo. Then, in the repo, install & run the command:

npm install
npm start -- \
  --username $SALESFORCE_USERNAME \
  --label AdminJWTLogin \
  --email $CONTACT_EMAIL \
  --certificate-file salesforce-jwt-auth/connected-app.crt

Releases

Automated via merge-release GitHub action.

🚚←📦 Every merge to main will trigger an npm publish.

Based on the commit messages, increments the version from the lastest release.

• If the string BREAKING CHANGE is found anywhere in any of the commit messages or descriptions the major version will be incremented
• If a commit message begins with the string feat then the minor version will be increased, such as feature: new API
• All other changes will increment the patch version.