JWT OAuth Callback Failing: Connected App Not Authorized

Problem

When CloudSense Digital Fulfilment or other Elastic services attempt to send JWT (JSON Web Token) callbacks to Salesforce, the callback fails with the following error:

"400 Bad Request: user hasn't approved this consumer"

This prevents the Elastic services from authenticating with Salesforce, causing integration failures.

Cause

The error occurs when the Connected App used for JWT OAuth authentication is not authorized for the user or the org. Specifically, the "CS Configuration Service Connected App" (or equivalent) has not been pre-approved for the org.

JWT OAuth Flow

CloudSense Elastic services use JWT OAuth to authenticate with Salesforce:

1. The Elastic service generates a JWT token signed with a private key.
2. The JWT token is sent to Salesforce's OAuth token endpoint.
3. Salesforce verifies the JWT token using the public key stored in the Connected App.
4. If the Connected App is authorized, Salesforce returns an access token.
5. The Elastic service uses the access token to make API calls to Salesforce.

If the Connected App is not authorized, Step 4 fails with the "user hasn't approved this consumer" error.

Resolution

Step 1: Identify the Connected App

1. In Salesforce, navigate to Setup > App Manager.
2. Locate the Connected App used for JWT OAuth (e.g., "CS Configuration Service Connected App", "CloudSense Elastic Services", or similar).
3. Note the Consumer Key (Client ID) of the Connected App.

Step 2: Authorize the Connected App

To authorize the Connected App for the org, you need to initiate the OAuth approval flow using a specific URL.

OAuth Approval URL Format:

https://[your-salesforce-domain]/services/oauth2/authorize?client_id=[Consumer Key]&redirect_uri=[Redirect URI]&response_type=code

Example:

https://login.salesforce.com/services/oauth2/authorize?client_id=3MVG9A2kN3Bn17hvKfTGTfJ2h...&redirect_uri=https://cloudsense-elastic.herokuapp.com/oauth/callback&response_type=code

Steps:

1. Replace [your-salesforce-domain] with your Salesforce instance URL (e.g., login.salesforce.com for production, test.salesforce.com for sandbox).
2. Replace [Consumer Key] with the Consumer Key from Step 1.
3. Replace [Redirect URI] with the redirect URI configured in the Connected App (e.g., https://cloudsense-elastic.herokuapp.com/oauth/callback).
4. Open the URL in a web browser while logged in as a System Administrator or a user with the necessary permissions.
5. Salesforce will display an authorization page asking you to approve the Connected App.
6. Click Allow to authorize the Connected App.

Step 3: Verify Authorization

After authorizing the Connected App:

1. Navigate to Setup > Connected Apps > Manage Connected Apps.
2. Locate the Connected App and verify that it is listed under Approved Connected Apps.
3. Verify that the Permitted Users setting is configured correctly (e.g., "Admin approved users are pre-authorized" or "All users may self-authorize").

Step 4: Test the JWT OAuth Callback

1. Trigger the Elastic service operation that requires JWT OAuth authentication (e.g., a Digital Fulfilment callback, an Orchestrator Accelerator API call).
2. Verify that the callback succeeds and that the Elastic service can authenticate with Salesforce.
3. Check the Elastic service logs (e.g., Heroku logs, AWS CloudWatch logs) to confirm that the JWT token exchange is successful.

Prevention

• Pre-Authorization: When provisioning new orgs or deploying new Elastic services, always pre-authorize the Connected App using the OAuth approval URL.
• Documentation: Document the OAuth approval process in your org's CloudSense configuration guide.
• Monitoring: Implement monitoring to detect and alert on JWT OAuth failures.

Additional Notes

• The exact name and configuration of the Connected App may vary depending on your CloudSense implementation. Consult your CloudSense administrator or refer to your org's configuration documentation.
• If the Connected App is configured with "Admin approved users are pre-authorized", you will also need to create a Permission Set or Profile that grants access to the Connected App and assign it to the integration user.
• If you are using a sandbox, replace login.salesforce.com with test.salesforce.com in the OAuth approval URL.
• The redirect URI must match exactly (including trailing slashes) with the redirect URI configured in the Connected App. If they do not match, the authorization will fail.