Get to Know Headless Identity Features
Learning Objectives
After completing this unit, you’ll be able to:
- List headless identity features and when to use them.
- Explain how headless identity flows work.
- Identify the common pattern of the Authorization Code and Credentials Flow in headless login, registration, passwordless login, and guest user flows.
How Can Headless Identity Accomplish My Company’s Business Needs?
You’re up to speed on the fundamental concepts of headless identity. Now you want to catch up on the business side of things. To determine whether headless identity is a good fit, you take a look at NTO’s needs and whether you can accomplish them with headless identity.
I want to build… |
How can I use headless identity to build it? |
|---|---|
A login experience that doesn't require customers to be redirected to Salesforce |
Use the Authorization Code and Credentials Flow to implement a username-password login experience. Use the Headless Passwordless Login Flow to enable users to log in with just an email address or phone number. |
A way for customers to self-register for my off-platform app |
Use the Headless Registration Flow to call Headless Registration API. |
An account recovery system for users who forget their passwords |
Use the Headless Forgot Password Flow to build a password reset process. |
A way for users to log in to my off-platform app using a social provider |
Build a native SSO experience by linking an SSO flow to a standard OAuth flow. |
For each of your goals, headless identity has an answer. With authorization flows for login, registration, forgotten password, passwordless login, and SSO, you can build an end-to-end implementation that does everything a traditional implementation can do.
Let’s explore these features.
Headless Login
With headless login, your users log in with a username and password. Your app exchanges the user’s credentials for an authorization code. At the end of the flow, they get an access token that can be used to access Salesforce APIs. So with this flow, not only can users log in, they can also access data stored in Salesforce.
For example, on NTO’s ecommerce app, users can click a button to see their order history. They must be logged in to see this information. With the Authorization Code and Credentials Flow, you can build a headless login process that kicks off when the user clicks View Order History. At the end of the flow, they’re logged in—but more importantly, they can instantly access the information they wanted to see.
To configure this feature, you use the simplest variation of the Authorization Code and Credentials Flow. This diagram shows you the steps with a public client.
Headless Registration
When new users visit your website, you want it to be easy to sign up. Accomplish that goal with the Headless Registration Flow.
By adding a few steps to the Authorization Code and Credentials Flow, this flow combines user registration, email or SMS verification, and initial sign-in into a single process. The registration extension to the flow includes a call to Headless Registration API. It handles creating users, submitting data, and verifying identity with email or SMS. In return, the user receives a one-time password (OTP) which they use to log in, and your app receives a request identifier.
Your app exchanges these credentials—the request ID and OTP—for an authorization code. At this point, the login portion of the flow behaves like a simple Authorization Code and Credentials Flow.
To see how it works, check out this diagram for public clients.
Headless Passwordless Login
While logging in with a username and password is great, logging in with only an email address or phone number is even better. That’s what the Headless Passwordless Login Flow is for. This flow takes the user’s email address or phone number and links it to the associated username. It submits the username to Headless Passwordless Login API. In return, the user receives an OTP, which they use to log in, and the app receives a request ID. At this point, the request ID and OTP are used as credentials to be exchanged for an authorization code, and the rest of the flow proceeds like a standard Authorization Code and Credentials Flow.
To see how the flow works in depth, check out this diagram for a public client.
Comparing Variations of the Authorization Code and Credentials Flow
Before we move on to headless password reset and SSO—which follow their own special patterns—here’s how headless login, registration, and passwordless login stack up against each other.
Headless feature |
What does it do? |
What credentials does your app exchange for an authorization code? |
Which endpoints does your app call? |
|---|---|---|---|
Login |
Logs in the user with a username and password. |
Username and password |
Authorization: Token: |
Registration |
Collects data about a new user. Verifies ownership of the new user's email or SMS phone number. Creates the user. Logs them in. |
Request ID and OTP |
Headless Registration API: Authorization: Token: |
Passwordless login |
Takes an email address or phone number and finds the associated username. Sends an OTP to the end user via email or SMS. Uses the OTP to authenticate the user. |
Request ID and OTP |
Headless Passwordless Login API: Authorization: Token: |
Headless Forgot Password Flow
If users are able to log in to your website, they also need a way to reset forgotten passwords. The Headless Forgot Password Flow resolves this common situation. This flow isn’t an authorization flow, but an account recovery flow. The flow works by sending the username to Headless Forgot Password API, which responds with an OTP sent to the user’s verification method. When the user verifies their identity, they set a new password with a second call to Headless Forgot Password API.
Here’s a diagram showing these steps. This diagram works for public and private clients.
SSO in a Headless App
To create a single sign-on (SSO) experience that feels native to your app, you can chain an SSO flow, like a SAML flow, to a standard OAuth flow, like the user-agent flow. Unlike the other flows, this flow is not headless. It relies on a traditional OAuth redirect.
In this flow, when the user logs in, the browser redirects to Salesforce and checks for an SSO provider that matches an sso-provider parameter included in your authorization request. The user is then redirected to the specific SSO provider for sign-in.
For example, if you configure Google as an authentication provider for your Experience Cloud site, you can direct the user to sign in with Google directly by setting Google as the value for the sso-provider parameter. After the user authenticates with Google, the browser redirects back to Salesforce. Salesforce finishes logging in the user, and creates and updates their data in Salesforce before the browser is fully redirected to your app. At the end of the flow, the user is logged in to your app using Google.
Even though the flow bounces to your Experience Cloud login page to check for the SSO provider, you can configure it so that the user never sees the login page, providing the exact same experience and benefits as a headless flow. To the user, it feels like your app went straight from your app, to Google, back to your app.
This diagram shows you how this process works at a high level.
With these headless identity features, you can build a full implementation for your off-platform app. In the next unit, we explore how to further your implementation with guest user identity.
Resources
- Salesforce Help: Headless Identity APIs for Customers and Partners
- Salesforce Help: OAuth Authorization Flows
- Implementation Guide: Headless Identity Implementation Guide