Hello everyone, we will explore A Comprehensive Guide to OAuth Authorization Flows in Salesforce. OAuth 2.0 is a widely used authorization framework that allows third-party applications to access a user’s data without exposing their credentials. Salesforce, a leading CRM platform, implements OAuth 2.0 to enable secure, delegated access to its resources.
Also check this: How to Easily Bypass Salesforce Flows with Custom Permissions
What is Oauth 2.0
OAuth 2.0 is an open standard for authorization that allows services and applications to share data across systems without sharing credentials. It decouples authentication from authorization, enabling third-party applications to access resources on behalf of a user. In the context of Salesforce, OAuth 2.0 is used to authorize external applications to access Salesforce APIs securely.
Generally the flows consist of three main steps.
- To initiate an authorization flow, create a connected app in the Salesforce on behalf of a client app requests access to a REST API resource.
- In response, an authorizing server grants access tokens to the connected app.
- A resource server validates these access tokens and approves access to the protected REST API resource.
Oauth Flow
1. Authorization Code Flow
The Authorization Code Flow is ideal when you need to grant access to a web or mobile application. Secure client secrets are maintained through the exchange of data between the front-end and back-end of the flow.
How it Works:
The user is redirected to the Salesforce authorization server, where they log in and authorize the application. Salesforce redirects the user back to the application with an authorization code. The application exchanges this code for an access token.
For more info check this link: OAuth 2.0 Web Server Flow for Web App Integration
2. Client Credentials Flow
The Client Credentials Flow is used when an external system needs to authenticate and interact with Salesforce on its own behalf, without user involvement.
How it Works:
The system sends its client credentials (client ID and secret) directly to Salesforce. Salesforce verifies these credentials and returns an access token. The system uses this token to access Salesforce resources.
For more info check this link: OAuth 2.0 Client Credentials Flow for Server-to-Server Integration
3. Username-Password Flow
Username-Password Flows allow applications to log in on behalf of users by directly providing their username and password.
Due to security concerns, this flow is not recommended for most scenarios.
How it Works:
The application sends the user’s username and password directly to Salesforce, along with the client ID and secret. Salesforce returns an access token that the application can use to access resources.
For more info check this link: OAuth 2.0 Username-Password Flow for Special Scenarios
4. JWT Bearer Token Flow
Server-to-server integrations that use a JSON Web Token (JWT) for authentication are ideal for the JWT Bearer Token Flow.
How it Works:
The system creates a JWT signed with a private key and sends it to Salesforce. Salesforce validates the JWT and issues an access token. The system uses this token to make API requests.
For more info check this link: OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration