How To Setup OAuth JWT in the Salesforce Connector
Learn the steps required to connect a Mule application to Salesforce using the Salesforce connector with the OAuth JWT flow.
Join the DZone community and get the full member experience.
Join For FreeIn this post, we'll explain all the steps required to connect a Mule application to Salesforce using the Salesforce connector with the OAuth JWT flow. You can also create your own certificate for the OAuth JWT flow with Salesforce or with OpenSSL (signed by a CA or self-signed). Both options are very well explained in the video at the conclusion of the article from Stefano Bernardini, MuleSoft Ambassador.
In this post, we’ll be using a self-signed certificate created by Salesforce but, keep in mind, that for production environments, a certificate issued by a Trusted Certificate Authority is always recommended.
1. Create the Certificate
- Start from our Salesforce org.
- Go to Setup > Certificate and Key Management.
- Click on Create Self-Signed Certificate.
-
Provide a name for our certificate - in our case, we’ll name it mule_jwt_cert.
-
After you click on Save, the certificate will be created and in the next window, you’ll get the details of your certificate.
- Click on Download Certificate and save it to a separate folder. We’ll use it later.
- We’ll get back to the Certificate and Management page. We should see now our certificate in the list of certificates.
- From there, we’ll export our certificate to a keystore. Click on Export to Keystore.
- Provide a password for your keystore and remember it. We’ll use it later to set up the JWT auth in the Mule app.
- You’ll get a .jks file. Save it to our separate folder.
- This jks should have:
- The certificate
- The Private Key
- The Public Key
- We can verify that with Key Store Explorer, for example.
2. Create the Connected App in Salesforce
- Start in your Salesforce org.
- To create the Connected App, we’ll go to Setup > App Manager (use Finder).
- Click on New Connected App in the top right corner.
-
In the configuration of our New Connected App:
- Provide a name for the app. In this example, we’ll name it mule_jwt_sf_connected_app.
- Provide an email and phone for Contact Email and Contact Phone. The values for Contact Email or Phone are only for auditing purposes. This information is not used in any further configuration.
- Select Enable OAuth Settings.
- Provide a Callback URL. In this case, it can be anything, as we’ll not use it for this OAuth flow. For this example, we’ll just use http://localhost:8081/callback.
- Select Use digital signatures and upload the certificate we downloaded before.
- In the Selected OAuth Scopes, we’ll select the following ones:
- Manage user data via APIs (API)
- Perform requests at any time (refresh_token, offline_access)
- For the rest of the values, we can leave them as default. Click Save at the bottom of the page.
- App Manager will inform you that it can take up to 10 minutes to get your connected app ready. Click on Continue.
-
In the next window, within the details of our connected app, we’ll go to the API (Enable OAuth Settings) section and click on Manage Consumer Details.
- You’ll be prompted to Verify Your Identity. You’ll need to provide a verification code that has been sent to your email. Enter the code and you should see the Consumer key and Consumer Secret of our connected app.
- Copy the Consumer Key. We’ll use it later in the Mule app.
-
Go back to Setup > App Manager and from the list of apps, find our Connected App and click on Manage in the right dropdown.
-
From here, click on Edit Policies.
-
In Permitted Users, select Admin approved users are pre-authorized, and click Save.
- Back to the Manage Connected App page: Scroll down to the Profiles section and click Manage Profiles.
-
In the list of profiles, select the profile that should have access to this connected app. For the purpose of this example, we’re using a System Admin profile. You should use a profile with the minimum permissions required for your use case. Depending on your use case you might need only a technical user or you might need to impersonate a real user, allowing all the users associated with this profile to propagate their identity down to the Mule app.
3. Create the Mule App
- From the Studio, create a New Mule Project.
- In the Mule Palette, add the Salesforce Module connector.
Design the Flow
- Drag and drop the following elements (see screenshot for details of the flow):
- A Listener
- 2 Loggers - before and after the Salesforce Query
- A Salesforce Query from the Salesforce Connector
- A Transform Message to convert the outcome of the flow to JSON
Upload the Key Store
-
Right-click on the project name and select Show In > System Explorer. That should open an explorer window in the main folder of our project.
- From there, go to Resources and upload the jks file of our keystore.
- Back to Studio: If you right-click again in the name of our project and click Refresh, we should see our keystore under the src/main/resources folder.
HTTP Listener
- Our Mule app will be listening on port 8081.
- Our endpoint will be /accounts.
Loggers
-
As a best practice, we’ll add a logger before and after the Salesforce connector query.
Salesforce Connector Query
- Go to the Global Elements tab and create a new Salesforce Config for the connector.
- Provide a descriptive name for the Configuration.
- In the Connection dropdown, select OAuth JWT.
- Provide the following details in the General tab:
- In Consumer Key: Paste the consumer key of our Salesforce Connected App.
- In Key store: Enter the name of the jks file. If you’re using a different path for your key store you can use the three points button and navigate to that location.
- In Store Password: Provide the password of our keystore.
- In Principal: This is the email of the user we will use to connect to the Connected App. This user needs to be assigned to the Profile(s) we associate with the Connected App in a previous step.
- In Token Endpoint,it should be:
- For Trial/Prod Account — https://login.salesforce.com/services/oauth2/token
- For Sandbox Account — https://test.salesforce.com/services/oauth2/token
-
Click on Test Connection:
- If you see the following error, get back to our Salesforce Connected App and review:
- The profiles allowed to use the app
- If you’ve selected the option of Admin-approved, users are pre-authorized.
- Once we’ve got the configuration of the connector and how it will authenticate with JWT, let’s set up the Query.
- Click on the Query Element and enter the following configuration in the Properties tab:
- Enter a descriptive name in Display Name - in our example, Get Accounts.
- In the Connector Configuration, pick up the Salesforce Config global element we’ve just defined in the previous step.
- In the Salesforce Query, enter the SOQL query to get the info we want to get from Salesforce. In our case, it’s just a query to Get Accounts.
Transformation
- The output from Salesforce will be in Java format. We’ll add a transformation element to translate that to JSON format, so that our API provides responses in JSON
- In the transform element, just add the following in the Output:
%dw 2.0
output application/json
---
payload
-
This will just convert the records coming from Salesforce in Java format to JSON.
4. Test the App
- From Studio, right-click on the designer canvas and click Run project, which will deploy our app locally.
- From our testing tool, here we use Postman. We’ll send a GET to http://localhost:8081/accounts.
- If everything goes well, we should get the list of account records.
In the next post, we'll be adding mTLS to this configuration.
Video
Published at DZone with permission of GONZALO MARCOS. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments