sf-connected-apps: Salesforce Connected Apps & External Client Apps

Use this skill when the user needs OAuth app configuration in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.

When This Skill Owns the Task

Use sf-connected-apps when the work involves:

• .connectedApp-meta.xml or .eca-meta.xml files
• OAuth flow selection and callback / scope setup
• JWT bearer auth, device flow, client credentials, or auth-code decisions
• Connected App vs External Client App architecture choices
• consumer-key / secret / certificate handling strategy

Delegate elsewhere when the user is:

• configuring Named Credentials or runtime callouts → sf-integration
• analyzing access / permission policy assignments → sf-permissions
• writing Apex token-handling code → sf-apex
• deploying metadata to orgs → sf-deploy

First Decision: Connected App or External Client App

Default guidance:

• choose ECA for new regulated, packageable, or automation-heavy solutions
• choose Connected App when simplicity and legacy compatibility matter more

Required Context to Gather First

Ask for or infer:

• app type: Connected App or ECA
• OAuth flow: auth code, PKCE, JWT bearer, device, client credentials
• client type: confidential vs public
• callback URLs / redirect surfaces
• required scopes
• distribution model: local org only vs packageable / multi-org
• whether certificates or secret rotation are required

Recommended Workflow

1. Choose the app model

Decide whether a Connected App or ECA is the better long-term fit.

2. Choose the OAuth flow

3. Start from the right template

Use the provided assets instead of building from scratch:

• assets/connected-app-basic.xml
• assets/connected-app-oauth.xml
• assets/connected-app-jwt.xml
• assets/external-client-app.xml
• assets/eca-global-oauth.xml
• assets/eca-oauth-settings.xml
• assets/eca-policies.xml

4. Apply security hardening

Favor:

• least-privilege scopes
• explicit callback URLs
• PKCE for public clients
• certificate-based auth where appropriate
• rotation-ready secret / key handling
• IP restrictions when realistic and maintainable

5. Validate deployment readiness

Before handoff, confirm:

• metadata file naming is correct
• scopes are justified
• callback and auth model match the real client type
• secrets are not embedded in source

High-Signal Security Rules

Avoid these anti-patterns:

Default fix direction:

• narrow scopes
• constrain callbacks
• enable PKCE for public clients
• keep secrets outside version control
• use JWT certificates or controlled secret storage where appropriate

Metadata Notes That Matter

Connected App

Usually lives under:

• force-app/main/default/connectedApps/

External Client App

Typically involves multiple metadata files, including:

• base ECA header
• global OAuth settings
• instance OAuth settings
• optional policy metadata

Important file-name gotcha:

• the global OAuth suffix is .ecaGlblOauth, not .ecaGlobalOauth

Output Format

When finishing, report in this order:

1. App type chosen
2. OAuth flow chosen
3. Files created or updated
4. Security decisions
5. Next deployment / testing step

Suggested shape:

App: <name>
Type: Connected App | External Client App
Flow: <oauth flow>
Files: <paths>
Security: <scopes, PKCE, certs, secrets, IP policy>
Next step: <deploy, retrieve consumer key, or test auth flow>

Cross-Skill Integration

Reference Map

Start here

• references/oauth-flows-reference.md
• references/security-checklist.md
• references/testing-validation-guide.md

Migration / examples

• references/migration-guide.md
• references/example-usage.md
• assets/

Score Guide