Skip to main content Join us at TDX in San Francisco or on Salesforce+ on March 5-6 for the Developer Conference for the AI Agent Era. Register now.

#OAuth 2.00 discussing

We are attempting to connect one Salesforce org to multiple others (Production / Sandbox) using a web server login flow from a managed package. Our approach involves storing 'refresh_token' and 'access_token' in either custom settings or custom metadata. Is this method optimal, or could it potentially pose security risks.Is there any other ways to store token in salesforce.

 

If above ways are wrong, please suggest any other alternate ways to connect multiple salesforce org from managed package. #Salesforce Developer #OAuth 2.0  #Integration #Security #Named Credentials

2 answers
0/9000

As per new OAuth 2.0 Hybrid App flow, Salesforce returns necessary cookie names, session ids, and domain details in the response so that when app opens the web view it can directly use the session id set in the cookies and grant access to the Salesforce pages inside the App.

 

Reference :

https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_hybrid_app_flow_cookies.htm&type=5

 

However I was wondering whether we can set cookies on other domains than the "current" native app domain due to security reasons?

 

#OAuth 2.0 #Hybrid #Identity & Access Management

0/9000

We are sending Each user through per user named credentials OAuth Flow programatically one 1st login, Can we intercept this flow send some additional params here ?

We are using custom Auth Plug in class and in this URL navigation to authenticate against per user principle authentication is happening without issue but in the next api calls we are getting 403 from our Backend as this api call is happening with the access token of OAuth User Flow hence apogee is not allowing to go through ,

The expectations is either we should send few other params to OAuth User Flow so user gets correct Access token to use in next actual call

Or In the next api call on 403 we should force access token to expire in apex ,

This is possible ,

Any help would greatly appreciate.

#OAuth 2.0 #OAuth2 #Oauth Scopes #Web Server OAuth #Oauth Webserver
0/9000

Hi Architects, 

I am trying to implement Oauth 2.0 Asset Token Flow using Postman. But cannot understand how actually can I use Asset Token to create/update records in salesforce. Here is what is did, 

 

  1. Got an Access token using Web Server Flow (Postman)
  2. Created a unsigned JWT for Actor Token. 
  3. Exchanged Actor Token & Access Token to Asset Token (Postman)
    1. In this step I was also able to create a new Asset (which actually registers an Asset based on documentation.)
  4. But I cannot access any API using this Asset token. 

How to use the Asset Token?. Any code sample or use cases will be appreciated.

#Identity & Access Management #OAuth 2.0

Thanks in advance

Prosenjit Sarkar

3 answers
  1. Aug 7, 2023, 8:54 AM

    Hi @Prosenjit Sarkar - Asset tokens in Salesforce are not designed for API calls. Instead, the backend service validates the asset token's legitimacy to determine if the device is authorized for the specific action. When it comes to API calls, particularly for CRUD operations, using bearer tokens is the recommended approach.

     

    https://help.salesforce.com/s/articleView?language=en_US&id=sf.remoteaccess_asset_token_using_validating.htm&type=5

0/9000

In both Authorization Code and Credentials Flow for Customers and Partners and OAuth 2.0 Username-Password Flow user's Salesforce username-password is exchanged by the Third-party app with Salesforce Authorization server to obtain the access token.

In fact the Auth Code and Cred Flow passes the user's username password over browser call to obtain the auth code . Whereas , in Username-Password flow there is a possibility to do this exchange from the Third-Party app's backend-server to obtain the access token.

 

a. If the above is true , then is "Authorization Code and Credentials Flow for Customers and Partners" more / less / same secure compared to "OAuth 2.0 Username-Password Flow" ?

 

b. If more then how ?

 

c. If Less/same , then what should be most secure way to implement "headless login" for a Third-party app (client ) with Salesforce ( the resource server ) ?

 

#OAuth 2.0 #Headless Commerce #Community Cloud

@Gianluca Calcagni @Kannan Narayanan #Ladies Be Architect 

1 answer
0/9000

Greetings! I am seeking some suggestions on my next steps for creating a REST API endpoint for our Salesforce instance. I have developed an Apex class to receive JSON that will have an id and value sent by a vendor to update a record.

 

Here is my understanding of my next steps:

  • Set up the Apex code as a service that can be accessed through a URL.
    • Question: I found a reference that mentioned using the Developer Console for this but I am not sure if that is correct. Is it?
  • Create a connected app that will permit the vendor to update the record with their request.
    • Question: Is the callback URL required the URL that references the Apex code that I developed? I suspect not but I am not sure.

Any suggestions would be greatly appreciated. Thank you in advance!   #Apex #REST API #OAuth 2.0

0/9000

I'm trying to create a connector to extract information out of quip and trying to authenticate to quip using OAuth2 , unfortunately it throws me the following error 

{"error":"application_error","error_code":400,"error_description":"Invalid client_id"}

I'm pretty sure the client_id and the client_secret are correct. Are there any pointers as to why this error is thrown while trying to generate an access token from quip.

#Quip #OAuth 2.0

4 answers
0/9000

Hi community! I'm pretty new to API integrations and am running into a bit of an issue. I am trying to integrate a third-party tool with a simple API request that will pull a small amount of data from a single record. Seemingly pretty easy stuff. I am using Postman to manage the request. The issue I have run into is that when I make the initial request to get the authorization code, providing the client ID in the request, it is returning a login page rather than an auth code. I have seen examples where the request is written as I have done, and others where a username and password are included in all of the requests. Are the username and password necessary? Is there something that I am missing? Thanks in advance for any advice you can provide!

 

#API  #REST API  #OAuth 2.0  #Connected Apps Help  #Integration

3 answers
0/9000

Hi

 

I'd like to make a React JS App with Node JS, hosted on Heroku.

 

How is it possible to have the OAUTH process done without first creating a connected app in Salesforce manually?

Is there a way to have this done automatically while initially authenticating?

 

Basically I'm looking for a way to do this:

 

1. Have a Login Screen on the app.

2. Upon clicking LOGIN, have the app redirected to Salesforce, asking to access.

3. The app then automatically shows up under OAUTH usage.

4. The webapp can now communicate via API with SF

 

#Integration

Bildschirmfoto 2021-08-02 um 00.12.49.png

Bildschirmfoto 2021-08-02 um 00.12.28.png

Bildschirmfoto 2021-08-02 um 00.13.24.png

 

Are there any manuals / instructions / step-by-step guides how to do this?

 

Thanks so much, Pascal

2 answers
0/9000

I created and configured a Connected App in order to set up the authorization in my project.  I am redirecting the user to the web page https://companyname.my.salesforce.com/services/oauth2/authorize

 

Screenshot 2021-07-26 170228.png

 

#Connected Apps Help  #OAuth 2.0  #Authentication

It is possible to enable user registration on this page?

1 answer
0/9000