• Sathish Balaji

Authenticate Salesforce from Golang using connected app JWT bearer token flow


Adoption of golang as backend programming language is increasing exponentially due to its Concurrency power, lightweightedness, scalability and much more.

And thus grows the need to integrate with salesforce CRM. There are a lot of ways to authenticate against salesforce from an external application using connected apps; though this article focuses only on JWT OAuth Bearer flow.

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

Unlike normal OAuth flows, this flow does not require interactive authentication and hence is useful to communicate between server to server.


Create a x509 self signed certificate

  1. Generate an RSA private key

openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048

2. Generate a pass key with the server.pass.key from above step

openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key

3. Generate the certificate

openssl req -new -key server.key -out server.csr

Enter all the required information which will be prompted from this step.

4. Generate the SSL certificate — final

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
  • -days indicate the no of days until this certificate the valid.

  • x509 denotes that this certificate is self-signed and not from a CA

server.key is maintained in Go app

server.crt is used as a digital signature in salesforce connected app


Create a connected app in salesforce

In your salesforce org,

  1. From Setup, enter App Manager in the Quick Find box, then select App Manager.

  2. Click New Connected App.

  3. Enter the connected app name and your email address:

  4. Select Enable OAuth Settings.

  5. Select Enable for Device Flow. Enabling this will auto populate the callback URL as device flows doesn’t require them.

  6. Enable Use digital signatures. Upload the server.crt file for this digital signature.

  7. Under Selected OAuth Scopes, select all scopes that apply**.

  8. Click Save.

** Be cautious when selecting scopes as the external application can literally peek into everything depending on the scopes you choose.


Copy the Consumer key which will be used by your Go app. Consumer keys are unique across salesforce ecosystem. Which means once you create a connected app in one org, it can be reused elsewhere instead of recreating it, which will create a different consumer key.


Click on Manage Policies button


There are 2 kinds of authorization for this connected app.

  1. Permitted users — All users may self-authorize When this option is set, any authentication with the connected app must be approved before by the user else salesforce throws an error while authenticating with message — ‘User hasn’t approved this consumer’.

  2. Permitted users — Admin approved users are pre-authorized When this option is set, you need to choose any profile or permission sets and the users who are assigned to it can authenticate with salesforce without any prior approval. Attention required — Consumer key and the server.key files are the only resources needed to break open into any org using this connected app, hence they are extremely confidential.

Now that connected app is ready we can start developing Go code to access salesforce.


Create authentication requests in Go

Get the library — github.com/dgrijalva/jwt-go for JWT operations

go get github.com/dgrijalva/jwt-go

Rename the server.key to private_key.pem and place it in root directory of you golang app.


Copy the below gist to your source code — preferably inside a folder called ‘authentication’. If you place this file in any folder/subdirectory, also move the private_key.pem along with it or use a relative path to the pem file.


https://gist.github.com/bsathishciv/cee4069ac807ff77fe19274e41b856e4#file-authenticate-go


Now import authentication package and start requesting access token like below

package xxxxximport ( 
    sf "<directory>/authentication"
    "net/http")func xxxx(){    sfRequest := sf.AuthenticationRequest{
      "https://test.salesforce.com",      "sbalaji@myorg.com",
    }    authReponse, err := sf.Authenicate(sfRequest,   http.DefaultClient)    accessToken := authReponse.GetToken()}

Now with the access token, you can access any resource from salesforce provided the scope permits to access that.


When you have tested this connected app and want to use in different organizations, do not create one in every org. Doing so will generate a new consumer key and secret everytime.


This connected app needs to be shipped so as to preserve the consumer key and consumer secret. Please comment below if you want a detailed article on how connected apps works including shipping it in a managed package.

Happy exploring…
0 comments