Implementing JWT with OAuth

Author: RubenHalman

.forceignore

@@ -10,3 +10,8 @@ package.xml
 
 # LWC Jest
 **/__tests__/**
+
+**/flows**
+profiles
+profiles/Admin.profile-meta.xml
+force-app/main/default/certs

.gitignore

@@ -46,4 +46,8 @@ $RECYCLE.BIN/
 **/venv/
 
 # testing flows
-force-app/main/default/flows
+force-app/main/default/flows
+flow_scanner.crt
+flow_scanner.key
+flow_jwt_rsa.key
+sfdx-project.json

CONTRIBUTING.md

@@ -4,6 +4,6 @@ Since 2021, the _Lightning Flow Scanner_ has grown from its roots as VS Code Ext
 - 📢 Sharing our work with your network
 - 💬 Sharing feedback to help us improve
 - 💻 Contributing code to drive innovation
-- 🤝 Join us as a member
+- 🤝 [Become a member](https://register.lightningflowscanner.org/) to stay connected.
 
 Want to help improve Lightning Flow Scanner? See our [Contributing Guidelines](https://github.com/Flow-Scanner/lightning-flow-scanner-core/blob/main/CONTRIBUTING.md).

README.md

@@ -50,8 +50,6 @@ For details about all available rules, their default severities, and configurati
 
 ### User Manual
 
-*Prerequisite: Ensure that the Flow Scanner permission set is assigned to users who need access.*
-
 - Click on the App Launcher icon in the top-left corner of your Salesforce interface.
 - Search for "Flow Scanner" in the App Launcher.
 - Click on the "Flow Scanner" app to open the Scan Flows Overview.
@@ -84,15 +82,13 @@ While no configuration is required, Admins can define **default severities**, **
 
 ## Installation
 
-<a href="https://login.salesforce.com/packaging/installPackage.apexp?p0=04tgK00000079xpQAA">
-  <img alt="Install Managed Package" src="https://raw.githubusercontent.com/afawcett/githubsfdeploy/master/deploy.png">
-</a>
-
-Or via Salesforce CLI:
+| Deployment Type | Installation |
+|-----------------|----------------|
+| **Managed** (Recommended) | <a href="https://login.salesforce.com/packaging/installPackage.apexp?p0=04tgK0000007M73QAE"><img alt="Install Managed Package" src="https://raw.githubusercontent.com/afawcett/githubsfdeploy/master/deploy.png"></a> |
+| **Unmanaged** | <a href="https://githubsfdeploy.herokuapp.com?owner=Flow-Scanner&repo=lightning-flow-scanner-app&ref=main"><img alt="Install Unmanaged Package" src="https://raw.githubusercontent.com/afawcett/githubsfdeploy/master/deploy.png"></a> |
+| **Or via CLI** | `sf package install --package 04tgK0000007M73QAE --wait 10` |
 
-```bash
-sf package install --package 04tgK00000079xpQAA --wait 10
-```
+> After installation, complete the [Post-Installation Setup](assets\docs\installation.md) to configure the Connected App and assign permissions.
 
 ---
 

SECURITY.md

@@ -3,13 +3,9 @@
 ## Security Practices
 
 - Code is open-source and peer-reviewed by the community.
-- Vulnerabilities can be reported privately via GitHub security features.
+- Vulnerabilities can be reported privately via [GitHub vulnerability reporting](https://github.com/Flow-Scanner/lightning-flow-scanner-app/security).
 - Changes to the repository are scanned and reviewed before merging.
 
-## Reporting a Vulnerability
-
-If you discover a security vulnerability, please report it using [GitHub vulnerability reporting](https://github.com/Flow-Scanner/lightning-flow-scanner-app/security).
-
 ## Data Handling
 
 This tool collects zero user data. No credentials, PII, payment info, health data, or user content is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to external services.
@@ -23,6 +19,5 @@ We temporarily use metadata (e.g., Flow metadata, timestamps) in-memory only for
 We actively track and maintain an up-to-date inventory of all third-party dependencies to ensure security and compatibility. Our dependencies include:
 
 - `lightning-flow-scanner-core` ([MIT license](https://github.com/Flow-Scanner/lightning-flow-scanner-core/blob/main/LICENSE.md)) – static analysis engine
-- `jsforce` ([MIT license](https://github.com/jsforce/jsforce/blob/main/LICENSE)) – Salesforce API connector
 
 These dependencies are packaged as static resources.

config/project-scratch-def.json

@@ -1,7 +1,14 @@
 {
   "orgName": "LightningFlowScanner",
   "edition": "Developer",
-  "features": ["EnableSetPasswordInApi"],
+  "features": [
+    "API",
+    "AddCustomApps:10",
+    "AddCustomTabs:30",
+    "EnableSetPasswordInApi",
+    "AuthorApex",
+    "DebugApex"
+  ],
   "settings": {
     "lightningExperienceSettings": {
       "enableS1DesktopEnabled": true
@@ -11,8 +18,14 @@
     },
     "securitySettings": {
       "sessionSettings": {
-         "lockerServiceNext": true
-        }
-   }
+        "lockerServiceNext": true
+      }
+    },
+    "apexSettings": {
+      "enableCompileOnDeploy": true
+    },
+    "oauthOidcSettings": {
+      "blockOAuthUnPwFlow": false
+    }
   }
-}
+}

docs/installation.md

@@ -0,0 +1,60 @@
+## Post-Installation Setup (takes ~3–5 minutes)
+
+To enable server-to-server authentication for your application using JWT Bearer Flow, follow these steps to manually create and configure a Connected App with a self-signed certificate.
+
+### Step 1 – Create the Connected App
+1. Go to **Setup → App Manager → New Connected App**.
+2. Fill in the basic info:
+   - **Connected App Name**: `Flow Scanner JWT`
+   - **API Name**: `Flow_Scanner_JWT` (auto-populates based on the name)
+   - **Contact Email**: your email address
+3. Under **API (Enable OAuth Settings)**:
+   - Check **Enable OAuth Settings**
+   - **Callback URL**: `https://login.salesforce.com/services/oauth2/success` (placeholder; not used in JWT flow but required)
+   - Check **Use digital signatures**
+   - **Require Secret for Web Server Flow**: Uncheck (if visible)but we
+   - **Require Secret for Refresh Token Flow**: Uncheck
+   - **Enable Client Credential Flow**: Uncheck
+   - **Enable Authorization Code Flow**: Uncheck
+   - **Require PKCE**: Uncheck
+   - **Enable Token Exchange Flow**: Uncheck
+   - **Selected OAuth Scopes**: Add `Access and manage your data (api)` and `Perform requests on your behalf at any time (refresh_token, offline_access)`
+   - Uncheck other options like **Enable Named User JWT Flow**, **Introspect All Tokens**, **Refresh Token Rotation**, **Secret Required for Token Exchange**
+4. Under **OAuth Policies**:
+   - **IP Relaxation**: `Relax IP restrictions`
+   - **Refresh Token Policy**: `Refresh token is valid until revoked`
+5. Click **Save** (it may take a few minutes for the app to be created).
+
+### Step 2 – Create & Upload the Certificate (45 seconds)
+1. Go to **Setup → Certificate and Key Management**.
+2. Click **Create Self-Signed Certificate**.
+3. Fill in:
+   - **Label**: `Flow Scanner`
+   - **Unique Name**: `Flow_Scanner` ← **must be exactly this**
+   - Key Size: 2048 or higher
+4. Click **Save**.
+5. Download the certificate (`.crt` file).
+6. Go to **App Manager → Flow Scanner JWT → Manage → Edit**.
+7. Under **Use digital signatures**, click **Upload Certificate**.
+8. Upload the `.crt` file → **Save**.
+
+### Step 3 – Copy & Paste the Consumer Key (30 seconds)
+1. In **App Manager → Flow Scanner JWT → View**.
+2. Click **Manage Consumer Details** (verify identity once).
+3. **Copy the Consumer Key** (starts with `3MVG…`).
+4. Go to **Setup → Custom Metadata Types → Flow Scanner OAuth Config → Manage Records**.
+5. Edit (or create) the record with **Developer Name = `Default`**.
+6. Paste into the **Consumer Key** field → **Save**.
+
+### Step 4 – Pre-Authorize the Connected App (optional, to avoid consent screen)
+1. In **App Manager → Flow Scanner JWT → Manage → Edit Policies**.
+2. Set **Permitted Users** to **Admin approved users are pre-authorized** → **Save**.
+3. Scroll to **Profiles** section → **Manage Profiles**.
+4. Check **System Administrator** (or relevant profiles) → **Save**.
+   - This allows users with those profiles to use the app without prompts. If you need more granularity, create a custom (unmanaged) Permission Set and assign it here instead.
+
+### Step 5 – Assign the Permission Set
+1. Go to **Setup → Permission Sets → Flow Scanner User**.
+2. Click **Manage Assignments** → add your users → **Done**.
+
+**The app is now ready to use!** Assigned users can run Flow Scanner features, and JWT authentication will handle Tooling API calls seamlessly.

force-app/main/default/applications/LFSApp.app-meta.xml

@@ -6,11 +6,13 @@
         <logoVersion>1</logoVersion>
         <shouldOverrideOrgTheme>false</shouldOverrideOrgTheme>
     </brand>
-    <description>Lightning Flow Scanner</description>
+    <description>Flow Scanner</description>
     <formFactors>Small</formFactors>
     <formFactors>Large</formFactors>
     <isNavAutoTempTabsDisabled>true</isNavAutoTempTabsDisabled>
     <isNavPersonalizationDisabled>true</isNavPersonalizationDisabled>
+    <isNavTabPersistenceDisabled>false</isNavTabPersistenceDisabled>
+    <isOmniPinnedViewEnabled>false</isOmniPinnedViewEnabled>
     <label>Flow Scanner</label>
     <navType>Standard</navType>
     <tabs>Lightning_Flow_Scanner</tabs>

force-app/main/default/aura/LFS_App/LFS_App.app

@@ -1,3 +1,3 @@
 <aura:application access="GLOBAL" extends="ltng:outApp"> 
     <aura:dependency resource="c:lightningFlowScannerApp" />
-</aura:application>	
+</aura:application>

force-app/main/default/aura/LFS_App/LFS_App.app-meta.xml

@@ -2,4 +2,4 @@
 <AuraDefinitionBundle xmlns="http://soap.sforce.com/2006/04/metadata">
     <apiVersion>58.0</apiVersion>
     <description>A Lightning Application Bundle</description>
-</AuraDefinitionBundle>
+</AuraDefinitionBundle>