OAuth Flows

In Salesforce, OAuth 2.0 is used for authenticating and authorizing access to the Salesforce platform. Salesforce supports several OAuth flows, each designed for different scenarios and types of applications. Here is an overview of the main OAuth flows available in Salesforce:

1. Web Server Flow (Authorization Code Grant)

  • Use Case: Secure server-to-server communication where the server can keep a client secret.
  • Summary: The application directs the user to the Salesforce authorization endpoint. After the user authorizes the app, Salesforce redirects back with an authorization code. The application then exchanges this code for an access token and refresh token.

2. User-Agent Flow (Implicit Grant)

  • Use Case: Single-page applications or mobile apps where the client secret cannot be kept confidential.
  • Summary: The application directs the user to the Salesforce authorization endpoint. After the user authorizes the app, Salesforce immediately redirects back with an access token (without an intermediate authorization code).

3. Username-Password Flow

  • Use Case: Trusted applications where the user’s credentials are securely handled by the client application.
  • Summary: The application directly sends the user’s Salesforce credentials to the OAuth token endpoint and receives an access token.

4. JWT Bearer Token Flow

  • Use Case: Server-to-server integration with no direct user interaction, typically used for back-end services.
  • Summary: The application creates a JWT (JSON Web Token) and sends it to the Salesforce token endpoint. Salesforce validates the JWT and returns an access token.

5. SAML Bearer Assertion Flow

  • Use Case: Integrating with SAML 2.0 identity providers for single sign-on (SSO).
  • Summary: The application obtains a SAML assertion from the IdP and sends it to the Salesforce token endpoint. Salesforce validates the assertion and returns an access token.

6. Device Flow

  • Use Case: Devices with limited input capabilities, such as smart TVs or IoT devices.
  • Summary: The application obtains a device code and a user code from Salesforce. The user authorizes the device on another device, and Salesforce returns an access token to the original application.

Key Components

  • Client: The application requesting access.
  • Resource Owner: The user authorizing access.
  • Authorization Server: Salesforce’s server that issues access tokens.
  • Resource Server: Salesforce’s server hosting the protected resources.
  • Access Token: Used by the client to access resources on behalf of the user.
  • Refresh Token: Used to obtain a new access token without re-authenticating the user.

Configuring OAuth in Salesforce

  1. Create a Connected App:
  • Go to Setup > App Manager > New Connected App.
  • Configure the connected app with the necessary OAuth settings, such as the callback URL and scopes.
  1. Define OAuth Scopes:
  • Select the appropriate OAuth scopes to define the permissions the app will request, such as full, api, refresh_token, etc.
  1. Configure Callback URL:
  • Specify the callback URL where Salesforce should redirect the user after authorization (for web server and user-agent flows).
  1. Client ID and Client Secret:
  • After creating the connected app, Salesforce provides a client ID and client secret, which are used in the OAuth flows.

Using OAuth Tokens

  • Access Token: Allows the application to make authenticated requests on behalf of the user.
  • Refresh Token: Can be used to obtain a new access token without requiring the user to re-authenticate.

Summary

Each OAuth flow in Salesforce is designed for specific types of applications and use cases, ensuring flexibility and security in authenticating and authorizing access to the Salesforce platform. Understanding these flows helps in choosing the appropriate method for integrating applications with Salesforce.

Scroll to Top