Create an External Client App in Your Org
In the next task, the steps marked (Required for JWT) are required only if you’re creating an external client app to use with the org login jwt command. In this case, you also need a file that contains a digital certificate, such as server.crt. You can use your own private key and certificate issued by a certification authority. Or you can use OpenSSL to create a key and a self-signed digital certificate. See Create a Private Key and Self-Signed Digital Certificate.
The steps marked (Required for JWT) are optional if you’re creating an external client app to use with org login web.
- Log in to your org.
- From the Quick Find box in Setup, enter App Manager, then click App Manager.
- Click New External Client App.
- Update the basic information as needed, such as the external client app name and your contact email address.
- Under API (Enable OAuth Settings), click Enable OAuth.
-
Under App Settings, in the Callback URL
box, enter http://localhost:1717/OauthRedirect.
If port 1717 (the default) is already in use on your local machine, specify an available one instead. Then update your sfdx-project.json file by setting the oauthLocalPort property to the new port. For example, if you set the callback URL to http://localhost:1919/OauthRedirect:
1"oauthLocalPort" : "1919" -
In the OAuth Scopes section, select these scopes:
- Manage user data via APIs (api)
- Manage user data via Web browsers (web)
- Perform requests at any time (refresh_token, offline_access)
- (Required for JWT) In the Flow Enablement section, select Enable JWT Bearer Flow.
- (Required for JWT) Click Upload Files and upload the file that contains your digital certificate, such as server.crt.
-
Click Create.
The basic external client app is created and enabled, and you see the page to manage your new external client app. However, you must further configure the external client app to use it with Salesforce CLI.
- Click Edit.
-
(Required for JWT, including substeps) Click the Policies tab.
- Open OAuth Policies.
- In the Plugin Policies section, set Permitted Users to Admin approved users are pre-authorized.
- Click OK.
- In the App Policies section, select the profiles that are pre-authorized to use this external client app. Similarly, select the permission sets. Create the profiles or permission sets if necessary.
- If not currently there, click the Policies tab.
- In the App Authorization section, under OAuth Policies, click Expire refresh token after a specific time.
-
In the Refresh Token Validity Period box, enter
90. For Refresh Token Validity Unit,
select Day(s).
Setting a maximum of 90 days for the refresh token expiration is a security best practice. To continue running CLI commands against an org whose refresh tokens have expired, reauthorize it with the org login web or org login jwt command.
-
In the Session Timeout in Minutes box, enter
15.
Setting a timeout for access tokens is a security best practice. Salesforce CLI automatically handles an expired access token by referring to the refresh token.
-
Click Save.
Your external client app is ready to use.
Get and Use the Consumer Key and Secret
- Log in to your org.
- From the Quick Find box in Setup, enter App Manager, and then click External Client App Manager.
- Click your external client app.
- Click the Settings tab.
-
Open OAuth Settings and click Consumer Key and
Secret.
The Verify Your Identiy web page opens.
- Check your email for a verification code, and then copy and paste the code in the Verify Your Identity web page.
- Click Verify.
-
Click Copy next to Consumer Key.
Depending on whether you've specified that it's required, also copy the Consumer Secret.
1sf org login web --client-id 04580y4051234051 --set-default-dev-hub --alias my-hub-orgIf you specified in the external client app that the Web Server Flow requires a client (consumer) secret, the command prompts you for it. The command then opens the login page for you to add your org credentials.
See the reference for org login web and org login jwt for more examples.