Here is another guide in the series of guides that we have come up with on how to use different authentication protocols in External Credentials in Salesforce to authenticate with external systems.
(External credentials enable the safe and secure storage of authentication details for external systems. Configured through the declarative, point-and-click features of Salesforce, they significantly reduce the need for custom code that would otherwise be necessary to establish connections and authenticate with external systems.)
In this guide we will learn how to configure & use External Credential “OAuth JWT Bearer Flow” to integrate Salesforce with Google using Google Service Account. But before we dive into this guide, here is an overview of all the different authentication protocols that external credentials support.
Salesforce External Credential Authentication Protocols – Lay of the Land
External Credentials in Salesforce support different authentication protocols to suit diverse requirements. The diagram below shows the lay of the land regarding the various authentication protocols available within external credentials.
In this post, we will learn how to use the OAuth JWT Bearer Flow (highlighted by the red arrow in the image below).
Begin with the End in Mind
In this guide, we will walk you through creating a Screen Flow (with data table) to display a list of files from Google Drive using the Google Drive API. We’ll use a Google Service Account for authentication and leverage Salesforce’s Named Credentials and External Credentials features to establish a seamless connection with Google. Once you understand how to integrate Salesforce with Google Drive, you can build upon this knowledge to integrate with other Google products, such as Gmail, Google Calendar, Google Drive, etc.
Here is how the final output in screen flow will look like:
Google Service Account for Enhanced Security
A Google Service Account is a special Google account used for secure access to Google APIs. It’s particularly useful when you want external applications or services to interact with Google services on your behalf without compromising your personal Google Account.
Creating a Google Service Account ensures controlled and secure access to Google services for various use cases. If you’re a Google Workspace user, you can also utilize this account to perform activities on behalf of other users in your Google Workspace Domain.
Here’s a real-world example. In one of our projects, we used a Google Service Account to send emails from Salesforce using the Gmail API for a client who needed to send more than 5000 emails per day. Using a Service Account eliminated the need for each user to manually authenticate and authorize Salesforce with Google.
OAuth External Credential with JWT Bearer Flow Configuration Components
Here is a visual representation of all the components that need to be configured for the OAuth JWT Bearer Flow. While this may seem like a lot (and it is), don’t worry. I have you covered with an exhaustive, step-by-step guide complete with screenshots, so that you don’t get lost.
And here is a visual representation of the flow between Salesforce & Google.
Here is the overview of steps we are covering in this guide. Step by step, with screenshots.
- Create Project in Google Cloud
- Enable Required APIs in Google Cloud Project
- Create Google Service Account
- Generate Java Key Store (JKS) File
- Upload JKS File to Salesforce
- Create External Credential
- Create Named Credential
- Create/Update Permission Set
- Create Screen Flow with HTTP Callout
- Test the Flow
NOTE: Certain sections of the guide will appear as locked in the free preview. You can download the unlocked version of the guide in PDF format by subscribing to our “All Access” Pass through the link below.