function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Justin Shankle 13Justin Shankle 13 

Is there a way to use access/refresh tokens indefinitely to replace username and password authentication?

Is there a way to replace the use of username and password authentication so that a third party can authenticate into salesforce with access/refresh tokens indefinitely after a one time authentication with username and password. Our company is a partner with salesforce and we receive many concerns with customers and third party integrations using username and password flows. We would like to be able to use access and refresh tokens instead. Currently, I can only find a way to get 1 refresh token per manual UI login with a webserver flow. We would like to be able to grant access with a 1 time login to obtain a curl code and use that to obtain a access token and refresh token and then get refresh tokens indefinitely. This is so that a third party integration doesn't have to worry about passwords expiring/changing on a designated integration user, interrupting the integration. We could set the password to never expire but, that loosens security by never changing passwords. Is there a way to accomplish this with web-server flow? Is there another way to use tokens to authenticate instead of username/passwords? The integration has to be code only with no UI so, authenticating via salesforceUI is not an option. Any Ideas or previous successes?
v varaprasadv varaprasad
Hi Justin,

Using client id and client secret you can generate the access token, without using username and password.
Please check below sample code : 

Prerequistes :
1.Clientid
2.client secret
3.Accesstoken URL.

  
String tokenBody = 'grant_type=client_credentials&client_id=sb-74feb489-460d-4f14-8cb1-c599140c7c4b!b2796|na-420adfc9-f96e-4090-a650-0386988b67e0!b1836&client_secret=SxfRjzX6VR84l12sY25r1fDQrbI=';
        
        
        Http http = new Http();
        HttpRequest tokenReq = new HttpRequest();
        tokenReq.setEndpoint('https://URL/oauth/token');        
        tokenReq.setMethod('POST');
        tokenReq.setBody(tokenBody);
        tokenReq.setTimeout(12000);
        tokenReq.setHeader('Content-Type','application/x-www-form-urlencoded');
              
        system.debug('### value of tokenReq:::::::'+tokenReq);
        HTTPResponse resp = http.send(tokenReq);
        system.debug('==resp.getStatusCode()=='+resp.getStatusCode());
        if(resp.getStatusCode() == 200 || resp.getStatusCode() == 201){
            system.debug('Token Response >>>>'+resp.getBody());
			}

you can execute the above code in the anonymous window and check in logs.

Hope this helps you!
If my answer helps resolve your query, please mark it as the 'Best Answer' & upvote it to benefit others.

Thanks
Varaprasad
@For  Support: varaprasad4sfdc@gmail.com






 
Matt ComerMatt Comer
Take a look at the JWT Bearer or SAML Assertion Bearer flows. These allow you to login as a user without needing their password once you have a) done the needed setup correctly, and b) the user has self-authorized (or the administrator has authorized) against your connected app.
Justin Shankle 13Justin Shankle 13
v varaprasad this is not working for me. I have tried many urls but I dont think "/oauth/token" is a valid url. Can you tell me what a url is supposed to look like for a trailhead sandbox (https://playful-badger-dev-ed.my.salesforce.com/)?
Justin Shankle 13Justin Shankle 13
Thanks Matt Comer,

How often does the user need to self-authorize? Is this a one time thing?