+ Start a Discussion

Login using salesforce SOAP Api VS OpenID Connect REST API

I need to use a Salesforce user (username and password) to get a token. This token should be validated by a 3rd party software and Salesforce userid should be extracted from it. I have already realized this stuff using OpenID connect, but I would avoid redirection back and forth typical of OIDC.

I have read that I could achieve this goal using SOAP API (in place of OIDC), and I have some related questions:
  1. Is this true? Can I authenticate a user with SOAP endpoint without any redirect?
  2. If 1. is true: what type of token did I get? Can I validate it against a known salesforce endpoint (e.g. with OIDC I have /id/keys API endpoint for key validation)
  3. If 1. is true: how long is this token valid? It is a sort of one time password or this token has a time to live like a common JWT?
  4. (aka 3 bis) Can I refresh this token?
  5. Are SOAP API actively supported by Salesforce or this API should be not implemented in favour of OIDC Rest API?
In a broader sense: What are pros and cons of both types of authentication?
Daniel BallingerDaniel Ballinger
You can use the SOAP Partner API login() method (https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_calls_login.htm) to authenticate a user without any redirection required. 

The LoginResult that comes back includes a Session ID and server URL. The session ID is interchangable with the access token you would get via the OAuth flows.

Making any subsequent API calls will validate it.

There are various things that come into play that control when a session id / access token gets invalidated - When do Sessions expire? (https://salesforce.stackexchange.com/q/11341/102)

You can't refresh this session id. Instead you need to call login again.

The SOAP APIs are actively supported by Salesforce and are updated with each seasonal release.
Right now, with Open ID Connect I have this scenario. 
  1. I get a token id (JWT)
  2. I use this taken to call external API (in this case AWS API Gateway) 
  3. I validate this token using Public Key (to be correct modulus and exponent exposed from login.salesforce.com/id/keys matching a given kid)
  4. if this token is valid I continue the flow
Could this session/access token realize the same flow?