Home » All Blogs » Oauth Authorization flows in Salesforce

Oauth Authorization flows in Salesforce

Join us and learn about Oauth authorization flow in Salesforce. In this session we will cover Oauth Web Server flow and Oauth JWT Bearer token flow.


  • Creating Connected App and Managing Connected App usage
  • Oauth Web Server flow (walkthrough with postman)
  • Oauth JWT Bearer token flow (walkthrough with postman)
  • Oauth JWT Bearer token flow (apex code walkthrough to integrate one salesforce org to another using JWT Bearer flow)

Connected App

A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. Connected apps use these protocols to authenticate, authorize and provide single sign-on (SSO) for external apps.

Oauth Webserver Flow

The external web service—via the connected app—posts an authorization code request using the authorization code grant type to the Salesforce authorization endpoint.

With an authorization code, the connected app can prove that it’s been authorized as a safe visitor to the site and that it has permission to request an access token.

Steps involved in Web Server Flow

  • https://login.salesforce.com/services/oauth2/authorize?client_id=xxx&redirect_uri=https://login.salesforce.com/oauth2/callback&response_type=code
  • Endpoint for access token: https://login.salesforce.com/services/oauth2/token

Oauth JWT Bearer Token Flow

This is used for server to server integration scenarios. This flow uses a certificate to sign the JWT request and doesn’t require explicit
user interaction. However, this flow does require prior approval of the client app

Please note this flows never issues a refresh token.

JWT Structure

Header -{“alg”:”RS256″}

Payload (This contains claims information which is an object containing
information about user and additional data.Claims are set using


<headerbase64encodedurl>.<claimsbase64encodedclaims>.<signature(usesalgorithm like RS 256)>

Apex Code without Named Credentials

Auth.JWT jwt = new Auth.JWT();
jwt.setSub('[email protected]');

jwt.setAud('https://login.salesforce.com'); jwt.setIss('connected app client
id');Auth.JWS jws = new Auth.JWS(jwt,’Certificate keystore name’);String token =
jws.getCompactSerialization();String tokenEndpoint ='https://login.salesforce.com/services/oauth2/token';
//POST the JWT bearer token

Auth.JWTBearerTokenExchange bearer = new Auth.JWTBearerTokenExchange(tokenEndpoint, jws);

//Get the access token
String accessToken = bearer.getAccessToken();
system.debug('Access Token-->'+accessToken);

Apex Code with Named Credentials

String service_limits='/services/data/v48.0/sobjects/Account/listviews/';

HttpRequest req = new HttpRequest();
Http http = new Http();
HTTPResponse res = http.send(req);


YouTube video
Date     : Sat, OCT 24, 2020 10:00 AM EST (7:30 PM IST)
Speaker  :  Debarun Sengupta
Where : Apex Hours YouTube

Some Useful commands to convert .crt to keystore to store in SFDC

  • openssl pkcs12 -export -in server.crt -inkey server.pem -out testkeystore.p12
  • keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12
  • -destkeystore servercert.jks -deststoretype JKS
  • keytool -keystore //servercert.jks -changealias -alias 1 -destalias salesforcetest

If you like this session and blog then please share your feedback.

Share your love:
Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 417


  1. Hi all content are usable but my scenario to get an access token is different we need to get the access token under the managed package application class connected app will be a part of the managed package to the time of executing the manage package class need to generate an access token and use further can you please suggest a batter way

Leave a Reply