Oauth Authorization flows in Salesforce

Join us and learn about Oauth authorization flow in Salesforce. This session will cover Oauth Web Server flow and Oauth JWT Bearer token flow. Join us to learn about Oauth Authorization flows in Salesforce.

YouTube video

Session Agenda

  • Creating Connected App and Managing Connected App usage
  • Oauth Web Server flow (walkthrough with Postman)
  • Oauth JWT Bearer token flow (walkthrough with postman)
  • Oauth JWT Bearer token flow (apex code walkthrough to integrate one salesforce org to another using JWT Bearer flow)

Connected App

A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. Connected apps use these protocols to authenticate, authorize, and provide single sign-on (SSO) for external apps.

Oauth Webserver Flow

The external web service—via the connected app—posts an authorization code request using the authorization code grant type to the Salesforce authorization endpoint.

With an authorization code, the connected app can prove that it’s been authorized as a safe site visitor and has permission to request an access token.

Steps involved in Web Server Flow

  • https://login.salesforce.com/services/oauth2/authorize?client_id=xxx&redirect_uri=https://login.salesforce.com/oauth2/callback&response_type=code
  • Endpoint for access token: https://login.salesforce.com/services/oauth2/token

Oauth JWT Bearer Token Flow

This is used for server-to-server integration scenarios. This flow uses a certificate to sign the JWT request and doesn’t require explicit
user interaction. However, this flow does require prior approval of the client app

Please note this flow never issues a refresh token.

JWT Structure

Header -{“alg”:”RS256″}

Payload (This contains claims information, which is an object containing information about the user and additional data. Claims are set using parameters-“Iss,aud, sub,exp”)


<headerbase64encodedurl>.<claimsbase64encodedclaims>.<signature(usesalgorithm like RS 256)>

Apex Code without Named Credentials

Auth.JWT jwt = new Auth.JWT();
jwt.setSub('[email protected]');

jwt.setAud('https://login.salesforce.com'); jwt.setIss('connected app client
id');Auth.JWS jws = new Auth.JWS(jwt,’Certificate keystore name’);String token =
jws.getCompactSerialization();String tokenEndpoint ='https://login.salesforce.com/services/oauth2/token';
//POST the JWT bearer token

Auth.JWTBearerTokenExchange bearer = new Auth.JWTBearerTokenExchange(tokenEndpoint, jws);

//Get the access token
String accessToken = bearer.getAccessToken();
system.debug('Access Token-->'+accessToken);

Apex Code with Named Credentials

String service_limits='/services/data/v48.0/sobjects/Account/listviews/';

HttpRequest req = new HttpRequest();
Http http = new Http();
HTTPResponse res = http.send(req);

Learn more about Salesforce OAuth 2.0 JWT Bearer flow.

Some Useful commands

Some Useful commands to convert .crt to keystore to store in SFDC

  • openssl pkcs12 -export -in server.crt -inkey server.pem -out testkeystore.p12
  • keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore servercert.jks -deststoretype JKS
  • keytool -keystore //servercert.jks -changealias -alias 1 -destalias salesforcetest


If you like this session and blog, then please share your feedback. I hope this helped you to understand the Oauth Authorization flows in Salesforce.

Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 461


  1. Hi all content are usable but my scenario to get an access token is different we need to get the access token under the managed package application class connected app will be a part of the managed package to the time of executing the manage package class need to generate an access token and use further can you please suggest a batter way

Leave a Reply

Your email address will not be published. Required fields are marked *