๐ฏ The Problem
When integrating MuleSoft with Salesforce, you need secure, automated authentication without storing usernames and passwords. Traditional username-password authentication poses several challenges:
- Security risks of storing credentials
- Password expiration issues
- Two-factor authentication complications
- Difficulty managing authentication in production environments
โ ๏ธ Common Mistake: Many developers initially try using username-password authentication, which leads to maintenance nightmares when passwords expire or 2FA is enforced.
๐ก Solution Overview
OAuth 2.0 JWT Bearer Token Flow provides a secure, automated authentication method that:
- Uses certificate-based authentication
- Doesn't require user interaction
- Works with Salesforce security policies
- Provides refresh token capabilities
๐ก Key Concept: JWT (JSON Web Token) Bearer Flow uses a signed token instead of passwords, making it ideal for server-to-server integrations.
๐ Prerequisites
Before starting, ensure you have:
- Salesforce Developer/Production org with API access
- System Administrator profile or equivalent permissions
- MuleSoft Anypoint Platform account
- Basic understanding of SSL certificates
- OpenSSL installed (for certificate generation)
๐ง Salesforce Connected App Setup
Step 1: Generate Self-Signed Certificate
First, generate a private key and certificate using OpenSSL:
# Generate private key
openssl genrsa -out server.key 2048
# Generate certificate signing request
openssl req -new -key server.key -out server.csr
# Generate self-signed certificate (valid for 365 days)
openssl x509 -req -sha256 -days 365 -in server.csr \
-signkey server.key -out server.crt
โ
Pro Tip: Store these files securely! You'll need server.key for MuleSoft and server.crt for Salesforce.
Step 2: Create Connected App in Salesforce
- Navigate to Setup โ App Manager โ New Connected App
- Fill in basic information:
- Connected App Name: "MuleSoft Integration"
- API Name: Auto-generated
- Contact Email: your email
- Enable OAuth Settings:
- Check "Enable OAuth Settings"
- Callback URL:
https://login.salesforce.com - Check "Use digital signatures"
- Upload your
server.crtfile
- Selected OAuth Scopes:
- Full access (full)
- Perform requests on your behalf at any time (refresh_token, offline_access)
Step 3: Configure Connected App Policies
After creating the Connected App:
- Click Manage on your Connected App
- Click Edit Policies
- Set "Permitted Users" to Admin approved users are pre-authorized
- Set IP Relaxation to Relax IP restrictions
- Save changes
Step 4: Pre-authorize Users
- From the Connected App, click Manage Profiles
- Select profiles that will use this integration (e.g., System Administrator)
- Save
๐ Note: Save the Consumer Key (Client ID) from the Connected App - you'll need it for MuleSoft configuration.
โ๏ธ MuleSoft Configuration
Step 1: Add Salesforce Connector
In your Mule project, add the Salesforce connector dependency:
<dependency>
<groupId>com.mulesoft.connectors</groupId>
<artifactId>mule-salesforce-connector</artifactId>
<version>10.18.0</version>
<classifier>mule-plugin</classifier>
</dependency>Step 2: Configure Global Salesforce Configuration
Create a global configuration with JWT Bearer authentication:
<salesforce:sfdc-config name="Salesforce_Config">
<salesforce:jwt-bearer-connection
consumerKey="${sfdc.consumerKey}"
keyStore="${sfdc.keystore.path}"
storePassword="${sfdc.keystore.password}"
principal="${sfdc.username}"
tokenEndpoint="${sfdc.token.endpoint}" />
</salesforce:sfdc-config>Step 3: Configure Properties File
Add these properties to your config.yaml or properties file:
sfdc:
consumerKey: "YOUR_CONSUMER_KEY_FROM_CONNECTED_APP"
keystore:
path: "certificates/server.key"
password: ""
username: "your.salesforce.username@company.com"
token:
endpoint: "https://login.salesforce.com/services/oauth2/token"
โ ๏ธ Security Warning: Never commit certificates or keys to version control. Use CloudHub properties or secure vaults for production.
Step 4: Test the Connection
Create a simple flow to test authentication:
<flow name="test-salesforce-auth">
<http:listener config-ref="HTTP_Listener" path="/test"/>
<salesforce:query config-ref="Salesforce_Config">
<salesforce:salesforce-query>
SELECT Id, Name FROM Account LIMIT 1
</salesforce:salesforce-query>
</salesforce:query>
<ee:transform>
<ee:message>
<ee:set-payload><![CDATA[
%dw 2.0
output application/json
---
{
message: "Connected successfully!",
accountCount: sizeOf(payload)
}
]]></ee:set-payload>
</ee:message>
</ee:transform>
</flow>๐งช Testing the Integration
- Deploy your MuleSoft application
- Call the test endpoint:
http://localhost:8081/test - Verify you receive a successful response with account data
๐ Common Issues & Solutions
Error: "invalid_grant: authentication failure"
Cause: User not pre-authorized or incorrect certificate.
Solution:
- Verify the user is added to the Connected App profile/permission set
- Ensure the certificate in Salesforce matches your private key
- Check that the username matches exactly (including sandbox suffix)
Error: "invalid_client_id"
Cause: Incorrect Consumer Key.
Solution: Copy the Consumer Key from Connected App details (not the Consumer Secret).
Error: "Failed to convert PEM to DER"
Cause: Certificate format issue.
Solution: Use the private key (.key file) not the certificate (.crt file) in MuleSoft.
Error: "token endpoint returned 400"
Cause: Wrong token endpoint URL.
Solution:
- Production:
https://login.salesforce.com/services/oauth2/token - Sandbox:
https://test.salesforce.com/services/oauth2/token
โจ Best Practices
1. Certificate Management
- Set certificate expiration reminders (before 365 days)
- Store certificates in secure vaults (CloudHub Secrets Manager)
- Never commit certificates to Git repositories
- Use different certificates for each environment
2. Error Handling
<error-handler>
<on-error-propagate type="SALESFORCE:CONNECTIVITY">
<logger level="ERROR"
message="Salesforce authentication failed: #[error.description]"/>
<!-- Add retry logic or notification here -->
</on-error-propagate>
</error-handler>3. Multiple Environments
Use property files per environment:
config-dev.yaml
config-test.yaml
config-prod.yaml4. Monitoring
- Monitor API call limits in Salesforce
- Set up CloudHub alerts for authentication failures
- Log all authentication attempts
5. Performance
- Use connection pooling for high-volume integrations
- Implement caching for frequently accessed data
- Batch operations when possible to reduce API calls
๐ Congratulations! You now have a secure, production-ready OAuth 2.0 authentication setup between MuleSoft and Salesforce.