Salesforce OAuth Flows
Notes on the several different OAuth-based flows for authenticating to Salesforce APIs
Web-Server Flow
Use Cases
- Used by web server applications that need to interact with SFDC APIs on behalf of a specific user
- Client Secret will be stored on server-based code, and therefore a Client Secret can be used safely without fear of exposure via a browser or mobile-based application
Flow
- Basically the exact flow listed in the OAuth page’s Flow section
User-Agent Flow
Use Cases
- You have a client-side / mobile application with no way to secure a Client Secret (e.g., no server that will actually execute the OAuth handshake)
Username-Password Flow
Use Cases
- Used by applications that work without requiring any user interaction at all to actively give authorization
- NOT SECURE: You have to specifically include a user’s UN and PW in the call for an Access Token
- Should only be used for scripts or POV, not for production-ready applications
SAML Bearer Assertion Flow
Use Cases
- A signed SAML 2.0 assertion along with a digital signature can be used to obtain an OAuth access token
- Why would I use this over another flow…?
JWT Bearer Token Flow
See Salesforce Auth JWT Bearer Flow for more information.