sf-connected-apps

sf-connected-apps: Salesforce Connected Apps & External Client Apps Use this skill when the user needs OAuth app configuration in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns. When This Skill Owns the Task Use sf-connected-apps when the work involves: .connectedApp-meta.xml or .eca-meta.xml files OAuth flow selection and callback / scope setup JWT bearer auth, device flow, client credentials, or auth-code decisions Connected App vs External Client App architecture choices consumer-key / secret / certificate handling strategy Delegate elsewhere when the user is: configuring Named Credentials or runtime callouts → sf-integration analyzing access / permission policy assignments → sf-permissions writing Apex token-handling code → sf-apex deploying metadata to orgs → sf-deploy First Decision: Connected App or External Client App If the need is... Prefer simple single-org OAuth app Connected App new development with better secret handling External Client App multi-org / packaging / stronger operational controls External Client App straightforward legacy compatibility Connected App Default guidance: choose ECA for new regulated, packageable, or automation-heavy solutions choose Connected App when simplicity and legacy compatibility matter more Required Context to Gather First Ask for or infer: app type: Connected App or ECA OAuth flow: auth code, PKCE, JWT bearer, device, client credentials client type: confidential vs public callback URLs / redirect surfaces required scopes distribution model: local org only vs packageable / multi-org whether certificates or secret rotation are required Recommended Workflow 1. Choose the app model Decide whether a Connected App or ECA is the better long-term fit. 2. Choose the OAuth flow Use case Default flow backend web app Authorization Code SPA / mobile / public client Authorization Code + PKCE server-to-server / CI/CD JWT Bearer device / CLI auth Device Flow service account style app Client Credentials (typically ECA) 3. Start from the right template Use the provided assets instead of building from scratch: assets/connected-app-basic.xml assets/connected-app-oauth.xml assets/connected-app-jwt.xml assets/external-client-app.xml assets/eca-global-oauth.xml assets/eca-oauth-settings.xml assets/eca-policies.xml 4. Apply security hardening Favor: least-privilege scopes explicit callback URLs PKCE for public clients certificate-based auth where appropriate rotation-ready secret / key handling IP restrictions when realistic and maintainable 5. Validate deployment readiness Before handoff, confirm: metadata file naming is correct scopes are justified callback and auth model match the real client type secrets are not embedded in source High-Signal Security Rules Avoid these anti-patterns: Anti-pattern Why it fails wildcard / overly broad callback URLs token interception risk Full scope by default unnecessary privilege PKCE disabled for public clients code interception risk consumer secret committed to source credential exposure no rotation / cert strategy for automation brittle long-term ops Default fix direction: narrow scopes constrain callbacks enable PKCE for public clients keep secrets outside version control use JWT certificates or controlled secret storage where appropriate Metadata Notes That Matter Connected App Usually lives under: force-app/main/default/connectedApps/ External Client App Typically involves multiple metadata files, including: base ECA header global OAuth settings instance OAuth settings optional policy metadata Important file-name gotcha: the global OAuth suffix is .ecaGlblOauth, not .ecaGlobalOauth Output Format When finishing, report in this order: App type chosen OAuth flow chosen Files created or updated Security decisions Next deployment / testing step Suggested shape: App: Type: Connected App | External Client App Flow: Files: Security: <scopes, PKCE, certs, secrets, IP policy> Next step: <deploy, retrieve consumer key, or test auth flow> Cross-Skill Integration Need Delegate to Reason Named Credential / callout runtime config sf-integration runtime integration setup deploy app metadata sf-deploy org validation and deployment Apex token or refresh handling sf-apex implementation logic permission review after deployment sf-permissions access governance Reference Map Start here references/oauth-flows-reference.md references/security-checklist.md references/testing-validation-guide.md Migration / examples references/migration-guide.md references/example-usage.md assets/ Score Guide Score Meaning 80+ production-ready OAuth app config 54–79 workable but needs hardening review < 54 block deployment until fixed Weekly Installs189Repositoryjaganpro/sf-skillsGitHub Stars191First SeenJan 22, 2026Security AuditsGen Agent Trust HubPassSocketPassSnykPassInstalled oncodex184opencode182gemini-cli181cursor180github-copilot178amp176