Use OAuth 2.0 Tokens to login to Salesforce.com

11,002

Solution 1

When you request an OAuth token, you can specify what scope it has, options include api only (the original type of tokens), or other options which include the ability to use the token with the UI pages. (see the scope parameter detail in the help). One of the still missing peices is a way to bootstrap the UI with that token when all you can do is tell a browser/webview to goto a URL, but a widely used (but unsupported) way is via frontdoor.jsp, e.g. you'd open https://{instance}/secur/frontdoor.jsp?sid={the_Access_token}&retURL={optional_relative_url_to_open} remember to URLEncode the 2 values.

Solution 2

So I think you are saying your application uses the SFDC username and password to just authenticate to retrieve a record from SFDC to display in your app?

IF this is correct - which I think it is - then you could just use the standard Salesforce Single Sign On system to authenticate. There is a guide here which outlines the process of setting up a SAML SSO system with Pat Patterson writing an interesting feature on how the security system works here. He has also written a great blog post on DeveloperForce here about the nitty details of OAuth in general for Force.com and not just the SAML setup. I have used the OAuth system in an iPad app against SFDC and it works quickly and easily. I can't see why your system should be unable to use the protocol as you desire.

Share:
11,002
Chris Wagner
Author by

Chris Wagner

Software engineer with focus in iOS development. Background in Java webapps and systems administration. Currently iOS Developer @ MartianCraft Previously lead iOS Developer at Infusionsoft http://www.RayWenderlich.com/ tutorial team member. Co-author of iOS 7 by Tutorials and iOS 8 by Tutorials Technical Reviewer of Effective Objective-C 2.0, http://www.amazon.com/books/dp/0321917014

Updated on June 04, 2022

Comments

  • Chris Wagner
    Chris Wagner over 1 year

    Currently we are not using OAuth with our apps but we are working on making the shift, we have direct login and capture the user/pass that was entered and store those. We then turn around and use the stored credentials for a feature that allows the user to open a record within Salesforce.com, we pass the user/pass in to the login endpoint along with a starting URL to the specific record, this works great and is a well liked feature as it is a simple SSO from the App to Salesforce.com where the user can see all data that may not be visible within the app.

    Moving to OAuth 2.0 and using the standard webflow, we no longer can capture the user/pass, which is actually a good thing as far as security is concerned. We would however like to keep this functionality, is there anyway of SSO'ing into Salesforce.com by passing along one of the OAuth tokens or some kind of sesson id?

    After reading more and thinking about what OAuth accomplishes I feel like this probably isn't possible being that the tokens obtained are meant to be used only with the API and not with the front end system. I hope that I am wrong though and there is a way to login to the front end using these tokens.

    EDIT

    Ok I am editing to hopefully make this more clear. Currently user's authenticate using the login() API method with their user/pass, we store this user/pass locally (not ideal). We then sync a subset of data that the users can access anytime within the app, being that it is a subset, we have a feature to "SSO" to the Salesforce.com front-end. This simply opens Salesforce.com in a web-view (UIWebView) using the URL https://ns8.salesforce.com/?pw=PASSWORD&[email protected]&startURL=/recordId. This will log us in to Salesforce.com and open the specified record.

    Moving forward we want to use OAuth 2.0 with the web flow so that we aren't handling the user/pass and so that we do not have to deal with Security Tokens or opening specific IP ranges to allow login without a Security Token.

    With that said, is there anyway to use the tokens/credentials received from the OAuth authentication to open Salesforce.com, automatically log the user in, and goto a specific record?

    I may have mis-used "single sign on" before, but in a sense, this simulates an SSO from our App to Salesforce.com, in that our users can touch a single button within the app and be logged in to the Salesforce.com web interface.

  • Chris Wagner
    Chris Wagner almost 12 years
    Edited my answer to clear things up, I have not gone through all the SAML/SSO docs you posted yet. As you sound familiar with them, please let me know if one of those approaches will solve this problem. Thanks.
  • Chris Wagner
    Chris Wagner almost 12 years
    This is exactly what I was looking for, thanks! I am going to test it out and accept the answer if it works out.
  • pbattisson
    pbattisson almost 12 years
    superfell's answer is more specific with mine a general guide to the possible OAuth approaches on FDC. They will be useful to you as you go further down the path I imagine, but glad you got a solution.
  • Krishna
    Krishna almost 12 years
    Thanks. This answer worked for us too. You mention that this is unsupported. Is there any other way that is officially supported by Salesforce?
  • superfell
    superfell almost 12 years
    No, there's no supported equivalent of frontdoor.jsp yet.
  • Guy Clairbois
    Guy Clairbois about 10 years
    Winter 14 will offer supported frontdoor.jsp: help.salesforce.com/help/doc/en/…
  • apadana
    apadana over 8 years
    frontdoor.jsp is supported as of Win 2014 for those who are reading this post now: help.salesforce.com/apex/…