Salesforce

Get your Salesforce Credentials

  1. Log into your Salesforce org (Production or Developer Edition)
  2. Navigate to Setup > App Manager
  3. Click New Connected App
  4. Fill in the basic information:
    • Connected App Name: Your app name
    • API Name: Auto-generated from app name
    • Contact Email: Your email address
  5. Enable OAuth Settings:
    • Check Enable OAuth Settings
    • Set Callback URL to your redirect URI (e.g., http://localhost:3000/api/auth/callback/salesforce for development)
    • Select Required OAuth Scopes:
      • Access your basic information (id)
      • Access your identity URL service (openid)
      • Access your email address (email)
      • Perform requests on your behalf at any time (refresh_token, offline_access)
  6. Enable Require Proof Key for Code Exchange (PKCE) (required)
  7. Save and note your Consumer Key (Client ID) and Consumer Secret (Client Secret)
  • For development, you can use http://localhost:3000 URLs, but production requires HTTPS
  • The callback URL must exactly match what's configured in Better Auth
  • PKCE (Proof Key for Code Exchange) is required by Salesforce and is automatically handled by the provider

For sandbox testing, you can create the Connected App in your sandbox org, or use the same Connected App but specify environment: "sandbox" in the provider configuration.

Configure the provider

To configure the provider, you need to import the provider and pass it to the social_providers option of the auth instance.

config/auth.rb
require "better_auth"

auth = BetterAuth.auth(
secret: ENV.fetch("BETTER_AUTH_SECRET"),
base_url: ENV.fetch("BETTER_AUTH_URL", "http://localhost:3000"),
social_providers: {
salesforce: BetterAuth::SocialProviders.salesforce(
  client_id: ENV.fetch("SALESFORCE_CLIENT_ID"),
  client_secret: ENV.fetch("SALESFORCE_CLIENT_SECRET"),
  environment: "production"
)
}
)

Configuration Options

  • client_id: Your Connected App's Consumer Key
  • client_secret: Your Connected App's Consumer Secret
  • environment: "production" (default) or "sandbox"
  • login_url: Custom My Domain URL (without https://) - overrides environment setting
  • redirect_uri: Override the auto-generated redirect URI if needed

Advanced Configuration

config/auth.rb
require "better_auth"

auth = BetterAuth.auth(
secret: ENV.fetch("BETTER_AUTH_SECRET"),
base_url: ENV.fetch("BETTER_AUTH_URL", "http://localhost:3000"),
social_providers: {
salesforce: BetterAuth::SocialProviders.salesforce(
  client_id: ENV.fetch("SALESFORCE_CLIENT_ID"),
  client_secret: ENV.fetch("SALESFORCE_CLIENT_SECRET"),
  environment: "sandbox",
  login_url: "my-company.my.salesforce.com",
  redirect_uri: "http://localhost:3000/api/auth/callback/salesforce"
)
}
)
  • Use environment: "sandbox" for testing with Salesforce sandbox orgs
  • The login_url option is useful for organizations with My Domain enabled
  • The redirect_uri option helps resolve redirect URI mismatch errors

Environment Variables

Add the following environment variables to your .env.local file:

.env.local
SALESFORCE_CLIENT_ID=your_consumer_key_here
SALESFORCE_CLIENT_SECRET=your_consumer_secret_here
BETTER_AUTH_URL=http://localhost:3000 # Important for redirect URI generation

For production:

.env
SALESFORCE_CLIENT_ID=your_consumer_key_here
SALESFORCE_CLIENT_SECRET=your_consumer_secret_here
BETTER_AUTH_URL=https://yourdomain.com

Sign In with Salesforce

To sign in with Salesforce, call auth.api.sign_in_social on your Ruby auth instance. The endpoint body takes the following properties:

  • provider: The provider to use. It should be set to salesforce.
server.rb
response = auth.api.sign_in_social(
body: {
provider: "salesforce",
callback_url: "/dashboard",
error_callback_url: "/login",
disable_redirect: true
}
)

redirect_url = response.fetch(:url)

Troubleshooting

Redirect URI Mismatch Error

If you encounter a redirect_uri_mismatch error:

  1. Check Callback URL: Ensure the Callback URL in your Salesforce Connected App exactly matches your Better Auth callback URL
  2. Protocol: Make sure you're using the same protocol (http:// vs https://)
  3. Port: Verify the port number matches (e.g., :3000)
  4. Override if needed: Use the redirect_uri option to explicitly set the redirect URI
config/auth.rb
require "better_auth"

auth = BetterAuth.auth(
secret: ENV.fetch("BETTER_AUTH_SECRET"),
base_url: ENV.fetch("BETTER_AUTH_URL", "http://localhost:3000"),
social_providers: {
salesforce: BetterAuth::SocialProviders.salesforce(
  client_id: ENV.fetch("SALESFORCE_CLIENT_ID"),
  client_secret: ENV.fetch("SALESFORCE_CLIENT_SECRET"),
  redirect_uri: "http://localhost:3000/api/auth/callback/salesforce"
)
}
)

Environment Issues

  • Production: Use environment: "production" (default) with login.salesforce.com
  • Sandbox: Use environment: "sandbox" with test.salesforce.com
  • My Domain: Use login_url: "yourcompany.my.salesforce.com" for custom domains

PKCE Requirements

Salesforce requires PKCE (Proof Key for Code Exchange) which is automatically handled by this provider. Make sure PKCE is enabled in your Connected App settings.

The default scopes requested are openid, email, and profile. The provider will automatically include the id scope for accessing basic user information.

Edit on GitHub

Previous Page

Spotify

Next Page

Slack

On this page