Salesforce Personal OAuth Setup
Overview
Salesforce Personal OAuth 2.0 enables individual users to connect their personal Salesforce accounts with AnswerAI, allowing for user-specific data access and operations. This is distinct from system-wide Salesforce API credentials and provides a more secure, user-controlled authentication method.
Personal OAuth vs System-Wide Credentials
| Personal OAuth | System-Wide API Credentials |
|---|---|
| User-specific authentication | Organization-wide authentication |
| Individual refresh tokens | Shared client credentials |
| User grants permissions | Admin configures permissions |
| Secure, isolated access | Broader system access |
| OAuth 2.0 flow | Client credentials flow |
Prerequisites
- A Salesforce account with admin access
- Access to Salesforce Setup menu
- AnswerAI instance (local or deployed)
- Basic understanding of OAuth 2.0 concepts
Step 1: Create Salesforce Connected App
Access Salesforce Setup
-
Log in to Salesforce
- Sign in to your Salesforce org
- Navigate to Setup (gear icon in top right)
-
Navigate to App Manager
- In Setup, search for "App Manager"
- Click on App Manager under Apps
-
Create New Connected App
- Click New Connected App
- Fill in the basic information:
- Connected App Name:
AnswerAI Personal OAuth - API Name:
AnswerAI_Personal_OAuth - Contact Email: Your email address
- Description: OAuth integration for personal AnswerAI access
- Connected App Name:
Configure OAuth Settings
-
Enable OAuth Settings
- Check Enable OAuth Settings
- Callback URL: Add your AnswerAI callback URL
- For local development:
http://localhost:4000/api/v1/salesforce-auth/callback - For production:
https://yourdomain.com/api/v1/salesforce-auth/callback
- For local development:
-
Select OAuth Scopes Add the following scopes for comprehensive AnswerAI integration:
Access and manage your data (api)
Access your basic information (id, profile, email, address, phone)
Perform requests on your behalf at any time (refresh_token, offline_access) -
Additional Settings
- Require Secret for Web Server Flow: Checked
- Require Secret for Refresh Token Flow: Checked
- Enable PKCE Extension for Supported Authorization Flows: Checked
-
Save the Connected App
- Click Save
- Wait for the app to be created (may take 2-10 minutes)
Step 2: Configure Connected App Policies
Set OAuth Policies
-
Access Connected App
- Navigate back to App Manager
- Find your
AnswerAI Personal OAuthapp - Click the dropdown arrow and select Edit
-
Configure OAuth Policies
- Permitted Users: Select "Admin approved users are pre-authorized"
- IP Relaxation: Select "Relax IP restrictions"
- Refresh Token Policy: Select "Refresh token is valid until revoked"
-
Save Changes
- Click Save
Get Client Credentials
-
View Consumer Details
- In the Connected App details, click View
- Click Manage Consumer Details
- You may need to verify your identity
-
Record Credentials
- Consumer Key (Client ID): Copy and store securely
- Consumer Secret (Client Secret): Copy and store securely
- Instance URL: Note your org's instance URL (e.g.,
https://your-domain.my.salesforce.com)
Step 3: Configure Environment Variables
Add the following environment variables to your AnswerAI instance:
For Local Development
# Salesforce Personal OAuth Configuration
SALESFORCE_CLIENT_ID=your_consumer_key_here
SALESFORCE_CLIENT_SECRET=your_consumer_secret_here
SALESFORCE_INSTANCE_URL=https://your-domain.my.salesforce.com
# API Base URL (for callback)
API_BASE_URL=http://localhost:4000/api/v1
For Production
# Salesforce Personal OAuth Configuration
SALESFORCE_CLIENT_ID=your_consumer_key_here
SALESFORCE_CLIENT_SECRET=your_consumer_secret_here
SALESFORCE_INSTANCE_URL=https://your-domain.my.salesforce.com
# API Base URL (for callback)
API_BASE_URL=https://yourdomain.com/api/v1
Step 4: Credential Configuration in AnswerAI
Creating Salesforce Personal OAuth Credential
-
Navigate to Credentials
- In AnswerAI, go to the Credentials section
- Click Add Credential
-
Select Salesforce OAuth
- Choose Salesforce OAuth from the credential types
- This is different from "Salesforce API" which uses client credentials
-
Configure Credential
- Credential Name: Give it a descriptive name (e.g., "My Salesforce Account")
- Client ID: Enter your Salesforce Consumer Key
- Client Secret: Enter your Salesforce Consumer Secret
- Instance URL: Enter your Salesforce instance URL
-
Authorize Access
- Click Authorize with Salesforce
- You'll be redirected to Salesforce login
- Sign in to your Salesforce account
- Review and approve the requested permissions
- You'll be redirected back to AnswerAI
End User OAuth Flow
For End Users Connecting Their Accounts
Once administrators have set up the Salesforce Connected App, end users can connect their personal accounts:
-
Access Credentials Section
- Navigate to the Credentials section in AnswerAI
- Click Add Credential
-
Select Salesforce OAuth
- Choose Salesforce OAuth from available credential types
- Enter a descriptive name for the credential
-
Fill Required Fields
- Client ID: Provided by admin or from Connected App
- Client Secret: Provided by admin or from Connected App
- Instance URL: Your organization's Salesforce URL
-
Authorization Process
- Click Authorize with Salesforce
- You'll be redirected to Salesforce's authorization page
- Sign in with your Salesforce credentials
-
Grant Permissions
- Review the requested permissions:
- Access and manage your data
- Access your basic information
- Perform requests on your behalf
- Click Allow to grant access
- Review the requested permissions:
-
Confirmation
- You'll be redirected back to AnswerAI
- Your personal Salesforce account is now connected
- The refresh token is securely stored
-
Using the Credential
- Select your Salesforce OAuth credential when configuring:
- Salesforce Personal OAuth MCP Server
- Other Salesforce-integrated nodes
- Select your Salesforce OAuth credential when configuring:
Security Best Practices
Environment Variables
-
Never Expose Secrets
- Keep client secrets in environment variables only
- Never commit secrets to version control
- Use secure environment variable management
-
Callback URL Security
- Use HTTPS in production
- Validate callback URLs match exactly
- Consider using state parameters for additional security
Token Management
-
Refresh Token Handling
- AnswerAI automatically handles token refresh
- Refresh tokens are stored encrypted
- Tokens can be revoked by users at any time
-
Access Control
- Users control their own OAuth permissions
- Tokens are scoped to individual users
- No shared credentials between users
Production Considerations
-
Domain Verification
- Verify your domain in Salesforce for production use
- This removes "unverified app" warnings
- Provides better user experience
-
Monitoring
- Monitor OAuth usage in Salesforce Setup
- Track token refresh patterns
- Set up alerts for unusual activity
Testing Your Setup
Verify Connected App Configuration
-
Check OAuth Settings
- Verify callback URL matches your AnswerAI instance
- Confirm all required scopes are enabled
- Test the OAuth flow in a sandbox first
-
Test Token Flow
- Create a test Salesforce OAuth credential
- Verify authorization redirects work correctly
- Confirm tokens are stored and refresh properly
Integration Testing
-
Create Test Credential
- Follow the end user flow to create a credential
- Verify the OAuth popup works correctly
- Check that refresh tokens are stored
-
Test MCP Integration
- Use the credential with Salesforce Personal OAuth MCP
- Verify data access works as expected
- Test token refresh functionality
Troubleshooting
Common Setup Issues
-
"Error 400: redirect_uri_mismatch"
- Cause: Callback URL in Connected App doesn't match AnswerAI
- Solution: Verify
API_BASE_URLenvironment variable and Connected App callback URL match exactly
-
"Error 400: invalid_client_id"
- Cause: Incorrect Consumer Key or app not properly saved
- Solution: Double-check Consumer Key and wait for Connected App to propagate (up to 10 minutes)
-
"Access Denied" during authorization
- Cause: User doesn't have permission or app not approved
- Solution: Check Connected App policies and user permissions
OAuth Flow Issues
-
Popup Blocked
- Cause: Browser blocking OAuth popup
- Solution: Allow popups for AnswerAI domain
-
Token Not Saving
- Cause: Callback not reaching AnswerAI properly
- Solution: Check network connectivity and callback URL configuration
-
Refresh Token Issues
- Cause: Token revoked or expired
- Solution: Re-authorize the credential through the OAuth flow
Permission Issues
-
Insufficient Permissions
- Cause: User doesn't have required Salesforce permissions
- Solution: Grant user appropriate permissions in Salesforce
-
Scope Limitations
- Cause: Connected App scopes too restrictive
- Solution: Add required scopes to Connected App configuration
Advanced Configuration
Custom Scopes
If you need additional Salesforce API access:
-
Add Scopes to Connected App
- Edit the Connected App in Salesforce
- Add required OAuth scopes
- Save and wait for propagation
-
Update Documentation
- Document any additional scopes for your users
- Provide clear explanations of why scopes are needed
Multi-Environment Setup
For multiple environments (dev, staging, production):
-
Separate Connected Apps
- Create separate Connected Apps for each environment
- Use different callback URLs for each environment
- Maintain separate client credentials
-
Environment-Specific Variables
- Use different environment variables per environment
- Ensure callback URLs match the deployed environment
Enterprise Considerations
-
User Management
- Consider user onboarding process
- Provide clear documentation for end users
- Set up support processes for OAuth issues
-
Compliance
- Ensure OAuth setup meets organizational security requirements
- Consider audit logging for OAuth activities
- Document data access patterns for compliance
Getting Help
Salesforce Resources
AnswerAI Support
- Check AnswerAI application logs for OAuth errors
- Verify environment variables are correctly set
- Test in a development environment first
Next Steps: Once OAuth is configured, you can set up specific Salesforce integrations: