Salesforce CLI offers several authorization methods, in the following, I will describe how to use each of them
auth:web:login 🌐
web login authorization is the easiest authorization method.
In order to authorize an org, just run the following command
sfdx force:auth:web:login -r https://test.salesforce.com -a YourOrgAliasName (for sandbox)
sfdx force:auth:web:login -a YourOrgAliasName (for production)
Your default browser should automatically open on the Salesforce login page, once you have logged in, you’ll get the page below asking you to allow access for the Salesforce CLI
After clicking Allow, you should get the message below in the terminal
Successfully authorized ☑️
auth:sfdxurl:store 🔗
sfdxurl store method is based on an existing authorization, imagine you have already authorized an Org in a machine A. By using the org:display command
sfdx force:org:display -a YourExistingOrgAliasName
You can construct the sfdxurl file from its output
The file must have one of the following format
force://<AccessToken>@<instanceUrl>force://<clientId>::<AccessToken>@<instanceUrl>
You can also display the constructed sfdxurl using the verbose mode
sfdx force:org:display -a YourExistingOrgAliasName --verbose
The “Sfdx Auth Url” should show in the output
Save the sfdxurl to a file and copy it to a machine B, then run the sfdxurl:store command to authorize the same org without using a username/password
sfdx force:auth:sfdxurl:store -f ./sfdxurl.txt -a YourOrgAliasName
Successfully authorized ☑️
auth:jwt:grant ⚙️
This is the most tedious authorization method to setup, it’s used to authorize app on a server without a need for a browser
1- create a private key and a self-signed digital certificate
Create a folder to host all file that be generated
mkdir JWT
cd JWT
Generate a private key and store it in server.key file
openssl genrsa -des3 -passout pass:X -out server.pass.key 2048
openssl rsa -passin pass:X -in server.pass.key -out server.key
remove the server.pass.key
rm server.pass.key
Generate a certificate signing request using the server.keyfile
openssl req -new -key server.key -out server.csr
Generate a self-signed digital certificate from the server.key and server.csr files
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
The server.crtwill be used to create the connected app
2 — Create a connected app
Let’s create a connected app for Jenkins
Click “Enable OAuth Settings” and “Use digital signatures”
Upload the server.crt generated in the step 1 as a digital signature for the connected app
Save the connected app then click manage
In the “OAuth Policies” section, activate the Admin approved users are pre-authorized for Permitted Users
Add the profiles or permission sets that you want to pre-approve in the “Manage Profiles” and “Manage Permission Sets” sections
Authorize your org (add -r https://test.salesforce.com for a sandbox)
sfdx force:auth:jwt:grant -i {clientId} -f ./JWT/server.key -a YourOrgAliasName
Successfully authorized ☑️
auth:device:login 📟
This is the new authorization method introduced by Salesforce in the Summer 19 release
Create a connected app without a digital signature
Make sure to enable the Device Flow
Run the flowing command to authorize your org (add -r https://test.salesforce.com for a sandbox)
sfdx force:auth:web:login -i {clientId} -a YourOrgAliasName
Input the connected app secret (Consumer Secret)
Access the setup connect URL
Input the user code then login to your org
Successfully authorized ☑️
