Salesforce

Enhanced Advanced

Enable OAuth Settings for API Integration in Salesforce

The Salesforce administrator registers an External Client App in Salesforce and enables OAuth both globally and on the External Client App.

Create External Client App in Salesforce

Configure Global OAuth Settings in Salesforce

Once the Salesforce adminstrator has registered an external client app, they can configure the app under the “OAuth Settings” dropdown. Allowed scopes for the OAuth application are set here.

The Salesforce adminstrator must also configure a Callback URL for the external client app under OAuth Settings > App Settings.

The Callback URL is defined as https://connect.example.org/__oauth__/integrations/callback

Note

Replace connect.example.org with the address of the Connect server.

Configure OAuth Settings for External Client App in Salesforce

Viewer OAuth integrations

Confidential apps

When using Confidential authentication, the Connect Administrator must obtain the client ID and client secret, referred to as the consumer key and consumer secret within Salesforce, from the Salesforce administrator. This information is available under OAuth Settings > App Settings (see screenshot above).

Public apps

If your Salesforce infrastructure is in a secure environment and your Salesforce administrator would prefer to use Public authentication then the External Client App within Salesforce must not have “Require secret for Web Server Flow” and “Require secret for Refresh Token Flow” set within the External Client App OAuth Settings. Please see the Salesforce OAuth Settings documentation for details.

Service Account OAuth integrations

Salesforce also supports the OAuth 2.0 Client Credentials Flow, which maps onto Service Account OAuth integrations in Connect.

Salesforce’s implementation of the OAuth 2.0 Client Credentials Flow differs slightly from other providers. In particular, administrators should be aware of the following properties when configuring a Service Account integration against Salesforce:

  • Salesforce does not accept scopes as a parameter in the token exchange request. The expected scopes are instead assigned to the connected app. This is why there is no “scope” field when configuring the OAuth integration in Connect. Instead, scopes must be configured by the Salesforce Administrator.
  • Salesforce requires specifying an “integration user” which is identified by the returned access token. Depending on how the Salesforce environment is configured, this can be a named user instead of a machine account. Administrators should be aware that all applications hosted on Connect using a Salesforce Service Account integration will be executing in Salesforce using the identity of the integration user.

To support Salesforce Service Account integrations in Connect, the Salesforce administrator must perform additional configuration of the OAuth app in Salesforce.

First, under Settings > OAuth Settings > Flow Enablement, the Salesforce Administrator should check the box for “Enable Client Credentials Flow”.

Enable Client Credentials Flow for External Client App in Salesforce

This enables a new “Enable Client Credentials Flow” option under Policies > OAuth Policies > OAuth Flows and External Client App Enhancements. The Salesforce Administrator should enable this option, and select the “integration user” which will be identified by the returned credentials.

Enable Client Credentials Flow Policy in Salesforce

Transfer information to Connect administrator

The Salesforce Administrator shares the following information with the Posit Connect administrator:

Field Description
sf_host_domain The host domain for your Salesforce environment.
client_id The Consumer Key found under OAuth Settings > App Settings > Consumer Key and Secret.
client_secret The Secret found under OAuth Settings > App Settings > Consumer Key and Secret. Not required for Public Viewer integrations.
scopes Permissions supported by the OAuth application. Only include scopes required by Connect. Not required for Service Account integrations.

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an OAuth integration through the Integrations tab on the Connect dashboard. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Create Salesforce OAuth Integration within Connect

Alternatively, the example below shows how to create a Confidential Viewer Salesforce OAuth integration using curl and the Connect Server API.

Note

Replace connect.example.org with the address of the Connect server.

Terminal
curl -H "Authorization: Key ${CONNECT_API_KEY}" \
  -XPOST https://connect.example.org/__api__/v1/oauth/integrations \
  --data '{
    "template": "salesforce",
    "name": "Salesforce OAuth integration",
    "description": "A helpful description for publishers to use when choosing an OAuth integration for their content.",
    "config": {
      "auth_mode": "Confidential",
      "auth_type": "Viewer",
      "client_id": "<client-id>",
      "client_secret": "<client-secret>",
      "scopes": "refresh_token offline_access api web",
      "sf_host_domain": "<sf_host_domain>"
    }
  }'
# 200 OK
# {"guid": "<oauth-integration-guid>", ... }