Sf Connected Apps

1---2name: sf-connected-apps3description: >4  Salesforce Connected Apps and OAuth configuration with 120-point scoring.5  TRIGGER when: user configures OAuth flows, JWT bearer auth, Connected Apps,6  or touches .connectedApp-meta.xml / .eca-meta.xml files.7  DO NOT TRIGGER when: Named Credentials for callouts (use sf-integration),8  permission policies (use sf-permissions), or API endpoint code (use sf-apex).9license: MIT10allowed-tools: Bash Read Write Edit Glob Grep WebFetch AskUserQuestion TodoWrite11metadata:12  version: "1.1.0"13  author: "Jag Valaiyapathy"14  scoring: "120 points across 6 categories"15---16 17# sf-connected-apps: Salesforce Connected Apps & External Client Apps18 19Use this skill when the user needs **OAuth app configuration** in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.20 21## When This Skill Owns the Task22 23Use `sf-connected-apps` when the work involves:24- `.connectedApp-meta.xml` or `.eca-meta.xml` files25- OAuth flow selection and callback / scope setup26- JWT bearer auth, device flow, client credentials, or auth-code decisions27- Connected App vs External Client App architecture choices28- consumer-key / secret / certificate handling strategy29 30Delegate elsewhere when the user is:31- configuring Named Credentials or runtime callouts → [sf-integration](../sf-integration/SKILL.md)32- analyzing access / permission policy assignments → [sf-permissions](../sf-permissions/SKILL.md)33- writing Apex token-handling code → [sf-apex](../sf-apex/SKILL.md)34- deploying metadata to orgs → [sf-deploy](../sf-deploy/SKILL.md)35 36---37 38## First Decision: Connected App or External Client App39 40| If the need is... | Prefer |41|---|---|42| simple single-org OAuth app | Connected App |43| new development with better secret handling | External Client App |44| multi-org / packaging / stronger operational controls | External Client App |45| straightforward legacy compatibility | Connected App |46 47Default guidance:48- choose **ECA** for new regulated, packageable, or automation-heavy solutions49- choose **Connected App** when simplicity and legacy compatibility matter more50- Spring ’26 note: creation of new Connected Apps is disabled by default in orgs. For new integrations, prefer External Client Apps unless Connected App compatibility is explicitly required.51 52---53 54## Required Context to Gather First55 56Ask for or infer:57- app type: Connected App or ECA58- OAuth flow: auth code, PKCE, JWT bearer, device, client credentials59- client type: confidential vs public60- callback URLs / redirect surfaces61- required scopes62- distribution model: local org only vs packageable / multi-org63- whether certificates or secret rotation are required64 65---66 67## Recommended Workflow68 69### 1. Choose the app model70Decide whether a Connected App or ECA is the better long-term fit.71 72### 2. Choose the OAuth flow73| Use case | Default flow |74|---|---|75| backend web app | Authorization Code |76| SPA / mobile / public client | Authorization Code + PKCE |77| server-to-server / CI/CD | JWT Bearer |78| device / CLI auth | Device Flow |79| service account style app | Client Credentials (typically ECA) |80 81### 3. Start from the right template82Use the provided assets instead of building from scratch:83- `assets/connected-app-basic.xml`84- `assets/connected-app-oauth.xml`85- `assets/connected-app-jwt.xml`86- `assets/external-client-app.xml`87- `assets/eca-global-oauth.xml`88- `assets/eca-oauth-settings.xml`89- `assets/eca-policies.xml`90 91If you need source-controlled ECA OAuth security metadata, retrieve it from an org first and treat the retrieved file as the schema source of truth:92- `sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>`93 94### 4. Apply security hardening95Favor:96- least-privilege scopes97- explicit callback URLs98- PKCE for public clients99- certificate-based auth where appropriate100- rotation-ready secret / key handling101- IP restrictions when realistic and maintainable102 103### 5. Validate deployment readiness104Before handoff, confirm:105- metadata file naming is correct106- scopes are justified107- callback and auth model match the real client type108- secrets are not embedded in source109 110---111 112## High-Signal Security Rules113 114Avoid these anti-patterns:115 116| Anti-pattern | Why it fails |117|---|---|118| wildcard / overly broad callback URLs | token interception risk |119| `Full` scope by default | unnecessary privilege |120| PKCE disabled for public clients | code interception risk |121| consumer secret committed to source | credential exposure |122| no rotation / cert strategy for automation | brittle long-term ops |123 124Default fix direction:125- narrow scopes126- constrain callbacks127- enable PKCE for public clients128- keep secrets outside version control129- use JWT certificates or controlled secret storage where appropriate130 131---132 133## Metadata Notes That Matter134 135### Connected App136Usually lives under:137- `force-app/main/default/connectedApps/`138 139### External Client App140Current source-supported ECA metadata uses multiple top-level source directories, not a single `externalClientApps/` folder:141- `force-app/main/default/externalClientApps/` → `ExternalClientApplication` (`.eca-meta.xml`)142- `force-app/main/default/extlClntAppGlobalOauthSets/` → `ExtlClntAppGlobalOauthSettings` (`.ecaGlblOauth-meta.xml`)143- `force-app/main/default/extlClntAppOauthSettings/` → `ExtlClntAppOauthSettings` (`.ecaOauth-meta.xml`)144- `force-app/main/default/extlClntAppOauthSecuritySettings/` → `ExtlClntAppOauthSecuritySettings` (`.ecaOauthSecurity-meta.xml`)145- `force-app/main/default/extlClntAppOauthPolicies/` → `ExtlClntAppOauthConfigurablePolicies` (`.ecaOauthPlcy-meta.xml`)146- `force-app/main/default/extlClntAppPolicies/` → `ExtlClntAppConfigurablePolicies` (`.ecaPlcy-meta.xml`)147 148Important file-name gotchas:149- the global OAuth suffix is `.ecaGlblOauth`, not `.ecaGlobalOauth`150- the general policy suffix is `.ecaPlcy`, not `.ecaPolicy`151- use `.ecaOauthSecurity` for `ExtlClntAppOauthSecuritySettings`152 153---154 155## Output Format156 157When finishing, report in this order:1581. **App type chosen**1592. **OAuth flow chosen**1603. **Files created or updated**1614. **Security decisions**1625. **Next deployment / testing step**163 164Suggested shape:165 166```text167App: <name>168Type: Connected App | External Client App169Flow: <oauth flow>170Files: <paths>171Security: <scopes, PKCE, certs, secrets, IP policy>172Next step: <deploy, retrieve consumer key, or test auth flow>173```174 175---176 177## Cross-Skill Integration178 179| Need | Delegate to | Reason |180|---|---|---|181| Named Credential / callout runtime config | [sf-integration](../sf-integration/SKILL.md) | runtime integration setup |182| deploy app metadata | [sf-deploy](../sf-deploy/SKILL.md) | org validation and deployment |183| Apex token or refresh handling | [sf-apex](../sf-apex/SKILL.md) | implementation logic |184| permission review after deployment | [sf-permissions](../sf-permissions/SKILL.md) | access governance |185 186---187 188## Reference Map189 190### Start here191- [references/oauth-flows-reference.md](references/oauth-flows-reference.md)192- [references/security-checklist.md](references/security-checklist.md)193- [references/testing-validation-guide.md](references/testing-validation-guide.md)194 195### Migration / examples196- [references/migration-guide.md](references/migration-guide.md)197- [references/example-usage.md](references/example-usage.md)198- [assets/](assets/)199 200---201 202## Score Guide203 204| Score | Meaning |205|---|---|206| 80+ | production-ready OAuth app config |207| 54–79 | workable but needs hardening review |208| < 54 | block deployment until fixed |