Skip to main content

Celonis Product Documentation

How the OAuth 2.0 JWT Bearer Authentication flow works
1) Configure the authentication method
  • In the Salesforce connection setup page in the Celonis Platform, you need to select “OAuth with Username/Password” (which is the default option) and click save.

  • Once the save button is clicked, you will be redirected to the “authorize” endpoint Salesforce OAuth API with the following request; “https://login.salesforce.com/services/oauth2/authorize?client_id={CLIENT_ID}&response_type={RESPONSE_TYPE}&redirect_uri={REDIRECT_URL}&state={STATE}”

    • CLIENT_ID: This is the client ID of the Celonis Connected App on the Salesforce system (Therefore there is no need for you to have your own connected app)

    • RESPONSE_TYPE: This parameter is always “code”

    • REDIRECT_URL: This parameter is always “https://auth.redirect.celonis.cloud/salesforce_redirect

    • STATE:This is a custom parameter (not part of the OAuth flow) that contains a secret to make sure we don’t have unauthorized access to our redirect endpoint

  • After that you are redirected to the Salesforce login page where you need to authenticate and then authorize “Celonis Connected Application” to access your data (which can be unauthorized at any point)

  • FollOwing this, you will be redirected back to the Celonis Platform along with the “Authorization Code” value which will be used to get an access token.

2) Getting access and identifying the user
  • Once the authentication and authorization process is complete we make a request to Salesforce to get an access token via:

    https://login.salesforce.com/services/oauth2/token?grant_type=authorization_code&code={CODE}&redirect_uri={REDIRECT_URL}&client_id={CLIENT_ID}”

    • CODE:This is the “Authentication Code” that is retrieved at the end of the Authentication and Authorization step

    • CLIENT_ID:This is the client ID of the Celonis Connected App on the Salesforce system

    • REDIRECT_URL:This parameter is always “https://auth.redirect.celonis.cloud/salesforce_redirect

  • As a response to this request, we retrieve an access token, the instance URL of your Salesforce instance and a url that can be used to identify the user that was used to authorize the “Celonis Connected Application”

  • With the access token, retrieved above, we make another request to retrieve the username of the user that was used to authorize the “Celonis Connected Application” using the following request:

    “{USER_ID_URL}?oauth_token={ACCESS_TOKEN}”

    • USER_ID_URL:This url is provided by salesforce along with the access token in the first step.

    • ACCESS_TOKEN:This is the access token retrieved in the first step.

  • As a response to this request, we retrieve the username of the user that was used to authorize the “Celonis Connected Application” and we store this username along with the instance URL of your Salesforce instance

3) Retrieving Data
  • In order to retrieve data, we are getting an access token first. In order to get an access token, we are making the request below:

    POST “{CUSTOMER_SALESFORCE_INSTANCE_URL}/services/oauth2/token” with parameters:

    • Grant_type: This is always “urn:ietf:params:oauth:grant-type:jwt-bearer”

    • Assertion: JTW serialized as string (Please see the below section “How JTW is created) to find out the details.

    • CUSTOMER_SALESFORCE_INSTANCE_URL: This URL is retrieved as the response of the access token request in the first step of “Getting access and Identifying the user” section.

  • We receive an access token as a response to this request.

4) How JWT is created:
  • JWT consist of a claim with the fields below:

    • Issuer: This is the client ID of the Celonis Connected App on the Salesforce system

    • Subject: Username of the user that was used to authorize the “Celonis Connected Application” that was retrieved in the second step of the “Getting access and Identifying the user” section.

    • Audience: This is always “https://login.salesforce.com

    • We build a JWT using this claim by signing the JWT with RS-256 Algorithm using aprivate keythat is located in our server. Expiration of the JWT is set to 3 minutes.

  • After we receive the access token, we make a request to retrieve the data via:

    “{CUSTOMER_SALESFORCE_INSTANCE_URL}/services/data/v49.0/queryAll?q={QUERY}”

    • Query: A salesforce query that would retrieve the data specified by the user. For example: “SELECT ID FROM ACCOUNT”

    • CUSTOMER_SALESFORCE_INSTANCE_URL: This URL is retrieved as the response of the access token request in the first step of “Getting access and Identifying the user” section.

  • The response of this request is the data that you wanted to be retrieved from you Salesforce instance in a JSON format. After this data is retrieved, it is processed and uploaded to our permanent storage in the Celonis Platform.