--- id: sm3-sf-connected-apps name: "sf-connected-apps" url: https://skills.yangsir.net/skill/sm3-sf-connected-apps author: jaganpro domain: sales tags: ["salesforce-integration", "connected-apps", "external-clients", "backend-development"] install_count: 1200 rating: 4.30 (80 reviews) github: https://github.com/jaganpro/sf-skills --- # sf-connected-apps > 管理Salesforce连接应用和外部客户端应用,确保安全集成和数据交换,提升系统互操作性。 **Stats**: 1,200 installs · 4.3/5 (80 reviews) ## Before / After 对比 ### Salesforce连接应用 ## Readme # sf-connected-apps # sf-connected-apps: Salesforce Connected Apps & External Client Apps Use this skill when the user needs **OAuth app configuration** in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns. ## When This Skill Owns the Task Use `sf-connected-apps` when the work involves: - `.connectedApp-meta.xml` or `.eca-meta.xml` files - OAuth flow selection and callback / scope setup - JWT bearer auth, device flow, client credentials, or auth-code decisions - Connected App vs External Client App architecture choices - consumer-key / secret / certificate handling strategy Delegate elsewhere when the user is: - configuring Named Credentials or runtime callouts → [sf-integration](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-integration/SKILL.md) - analyzing access / permission policy assignments → [sf-permissions](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-permissions/SKILL.md) - writing Apex token-handling code → [sf-apex](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-apex/SKILL.md) - deploying metadata to orgs → [sf-deploy](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-deploy/SKILL.md) ## First Decision: Connected App or External Client App If the need is... Prefer simple single-org OAuth app Connected App new development with better secret handling External Client App multi-org / packaging / stronger operational controls External Client App straightforward legacy compatibility Connected App Default guidance: - choose **ECA** for new regulated, packageable, or automation-heavy solutions - choose **Connected App** when simplicity and legacy compatibility matter more ## Required Context to Gather First Ask for or infer: - app type: Connected App or ECA - OAuth flow: auth code, PKCE, JWT bearer, device, client credentials - client type: confidential vs public - callback URLs / redirect surfaces - required scopes - distribution model: local org only vs packageable / multi-org - whether certificates or secret rotation are required ## Recommended Workflow ### 1. Choose the app model Decide whether a Connected App or ECA is the better long-term fit. ### 2. Choose the OAuth flow Use case Default flow backend web app Authorization Code SPA / mobile / public client Authorization Code + PKCE server-to-server / CI/CD JWT Bearer device / CLI auth Device Flow service account style app Client Credentials (typically ECA) ### 3. Start from the right template Use the provided assets instead of building from scratch: - `assets/connected-app-basic.xml` - `assets/connected-app-oauth.xml` - `assets/connected-app-jwt.xml` - `assets/external-client-app.xml` - `assets/eca-global-oauth.xml` - `assets/eca-oauth-settings.xml` - `assets/eca-policies.xml` ### 4. Apply security hardening Favor: - least-privilege scopes - explicit callback URLs - PKCE for public clients - certificate-based auth where appropriate - rotation-ready secret / key handling - IP restrictions when realistic and maintainable ### 5. Validate deployment readiness Before handoff, confirm: - metadata file naming is correct - scopes are justified - callback and auth model match the real client type - secrets are not embedded in source ## High-Signal Security Rules Avoid these anti-patterns: Anti-pattern Why it fails wildcard / overly broad callback URLs token interception risk `Full` scope by default unnecessary privilege PKCE disabled for public clients code interception risk consumer secret committed to source credential exposure no rotation / cert strategy for automation brittle long-term ops Default fix direction: - narrow scopes - constrain callbacks - enable PKCE for public clients - keep secrets outside version control - use JWT certificates or controlled secret storage where appropriate ## Metadata Notes That Matter ### Connected App Usually lives under: - `force-app/main/default/connectedApps/` ### External Client App Typically involves multiple metadata files, including: - base ECA header - global OAuth settings - instance OAuth settings - optional policy metadata Important file-name gotcha: - the global OAuth suffix is `.ecaGlblOauth`, not `.ecaGlobalOauth` ## Output Format When finishing, report in this order: - **App type chosen** - **OAuth flow chosen** - **Files created or updated** - **Security decisions** - **Next deployment / testing step** Suggested shape: ``` App: Type: Connected App | External Client App Flow: Files: Security: Next step: ``` ## Cross-Skill Integration Need Delegate to Reason Named Credential / callout runtime config [sf-integration](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-integration/SKILL.md) runtime integration setup deploy app metadata [sf-deploy](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-deploy/SKILL.md) org validation and deployment Apex token or refresh handling [sf-apex](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-apex/SKILL.md) implementation logic permission review after deployment [sf-permissions](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/../sf-permissions/SKILL.md) access governance ## Reference Map ### Start here - [references/oauth-flows-reference.md](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/references/oauth-flows-reference.md) - [references/security-checklist.md](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/references/security-checklist.md) - [references/testing-validation-guide.md](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/references/testing-validation-guide.md) ### Migration / examples - [references/migration-guide.md](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/references/migration-guide.md) - [references/example-usage.md](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/references/example-usage.md) - [assets/](https://github.com/jaganpro/sf-skills/blob/HEAD/skills/sf-connected-apps/assets/) ## Score Guide Score Meaning 80+ production-ready OAuth app config 54–79 workable but needs hardening review < 54 block deployment until fixed Weekly Installs196Repository[jaganpro/sf-skills](https://github.com/jaganpro/sf-skills)GitHub Stars197First SeenJan 22, 2026Security Audits[Gen Agent Trust HubPass](/jaganpro/sf-skills/sf-connected-apps/security/agent-trust-hub)[SocketPass](/jaganpro/sf-skills/sf-connected-apps/security/socket)[SnykPass](/jaganpro/sf-skills/sf-connected-apps/security/snyk)Installed oncodex191opencode189gemini-cli188cursor187github-copilot185amp183 --- *Source: https://skills.yangsir.net/skill/sm3-sf-connected-apps* *Markdown mirror: https://skills.yangsir.net/api/skill/sm3-sf-connected-apps/markdown*