Connecting a Salesforce Org to CodeScan using local ECA flow

As of release 26.0.4, CodeScan has adopted the External Client App (ECA) flow for Salesforce, replacing our existing Connected Apps flow.

Key points:

If you have an existing Salesforce org registered, you are using the existing Connected App flow. No action is required at this time, and your analyses will run as expected.
Please note that any new Salesforce org that you wish to register in CodeScan must use the new local ECA flow.
Please note that if your existing Salesforce orgs need to be reattached, if your tokens expire, or after Sandbox refresh, your Connected App flow will no longer work, and you will need to re-register your org using the local ECA flow. Please note that in these circumstances, your comparison branches in Salesforce will need to be set up again.

This is a step-by-step guide on how to implement the local ECA flow to establish a new connection with CodeScan.

1) Pre-requisite: get your Callback URL (redirect URI)

For AutoRABIT’s CodeScan ECA setup, you need the callback URL

Callback URL depends on the instance:

{$isntancename}/_codescan/oauth2/authorize

Example:

https://perf.codescan.io/_codescan/oauth2/authorize

2) Create the External Client App (ECA) in your Salesforce Org

In Salesforce, go to Setup.
In Quick Find, search External Client Apps.
Open External Client App Manager (or the External Client Apps area).

Click New External Client App.
Fill in the basics:
- Name / Label ( e.g. AR_Local)
- API Name (auto-filled)
- Contact Email
- Distribution State:
  - Local (only for this org)

3) Enable OAuth + set callback URL + scopes

Click Enable OAuth (or expand API (Enable OAuth Settings) and check Enable OAuth).
Set *Callback URL
The URL you collected in step 1.
Choose OAuth Scopes:
- Access the identity URL service (id, profile, email, address, phone)
- Manage user data via APIs (api)
- Manage user data via Web browsers (web)
- Perform requests at any time (refresh_token, offline_access)

4) Flow Enablement

In Flow Enablement, select Enable Authorization Code and Credentials Flow.
User credentials are required in the POST body (Salesforce shows this option when you choose that flow) should be disabled.

5) Security toggles (common defaults)

In the Security section the next options should be enabled:

Require secret for Web Server Flow
Require secret for Refresh Token Flow

6) Create the app and capture Client ID / Secret

Click Create.
Open the app’s Settings tab and locate Consumer Key and Secret:
- Consumer Key = Client ID
- Consumer Secret = Client Secret

When you click the button for Consumer Key and Secret, a code will be sent to the registered email for the user creating the configuration:

After receiving the code and verifying in Salesforce, the Consumer Key (Client ID) and Consumer Secret (Client Secret) will be displayed:

Store these values in a safe place and make sure you can access them as needed

7) Configure Policies

After creating the ECA, open the Policies tab and adjust as needed (exact options vary by org/security posture), commonly:

Permitted Users: often set to Admin approved users are pre-authorized for controlled rollouts.
Add the required profiles/permission sets (or approved users) for who is allowed to authorize.

8) What you’ll use in AutoRABIT

Once created, the set of values you’ll reference in your CodeScan configuration are:

Client ID
Client Secret

Also, the internal direction is to be clear that one ECA per customer org can be used across products (rather than creating one per AR product).

After the configuration in Salesforce is complete, and you have obtained the ClientID and Client Secret, we can go to CodeScan to create the connection.

In Project analysis, click on Add Analysis Project

If no previous connections are found or the required org is not present in the Connection list, a message to navigate to the Salesforce Connections page is displayed.