Apex Code Development You need to sign in to do that
Don't have an account?
OAuth 2.0 Web Server flow with Community Plus user
Hello all,
I have created web services to be consumed by an external site. The goal is to allow them to pull information to use with our shared customers, so the Web Server Oauth flow seems like a good fit because their site's program will be able to securely hold the customer secret. The web service is testing successfully through Workbench and cURL using a standard salesforce licensed user. I would like to have the external site use a Community Plus licensed user, to match other access we are providing (visualforce pages) with these licenses.
I am having trouble determining an easy way to test a Community Plus licensed user to determine the correct URL to use for the GET request and to confirm that this is a functional method.
So, Question One - Is it possible to use a Community Plus licensed user to consume an APEX web service to access custom objects that are accessible to that user through regular login?
Question Two - Assuming the answer to question one is "yes," Is there a cURL method to test Web Server flow so I can confirm functionality before the external developers have to start coding?
Question Three - Again, assuming this is a functional method, how do I determine the URL to use for the GET request? The Chatter API seems to be the closest doc to check and that only seems to have info on using REST API to access Community specific resources. I've tried inserting "/connect/communities/internal" but that just returns page not found.
For example, this curl command with a salesforce licensed user:
All pertinent advice and help appreciated - thank you!
I have created web services to be consumed by an external site. The goal is to allow them to pull information to use with our shared customers, so the Web Server Oauth flow seems like a good fit because their site's program will be able to securely hold the customer secret. The web service is testing successfully through Workbench and cURL using a standard salesforce licensed user. I would like to have the external site use a Community Plus licensed user, to match other access we are providing (visualforce pages) with these licenses.
I am having trouble determining an easy way to test a Community Plus licensed user to determine the correct URL to use for the GET request and to confirm that this is a functional method.
So, Question One - Is it possible to use a Community Plus licensed user to consume an APEX web service to access custom objects that are accessible to that user through regular login?
Question Two - Assuming the answer to question one is "yes," Is there a cURL method to test Web Server flow so I can confirm functionality before the external developers have to start coding?
Question Three - Again, assuming this is a functional method, how do I determine the URL to use for the GET request? The Chatter API seems to be the closest doc to check and that only seems to have info on using REST API to access Community specific resources. I've tried inserting "/connect/communities/internal" but that just returns page not found.
For example, this curl command with a salesforce licensed user:
curl -v https://test.salesforce.com/services/oauth2/token -d "grant_type=password" -d "client_id=3MVxxxxxxxxxxxxxxxxxxxxxxxxtQde" -d "client_secret=67xxxxxxxx56" -d "username=klxxx@test.sandbox" -d "password=pxxxxxxd" -H 'X-PrettyPrint:1'And then use the returned auth token in a get request and the web service runs, returning the desired data:
curl -X GET https://cs95.salesforce.com/services/apexrest/Scholars/v0.1/ -H "Authorization: OAuth 00Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3QR" -H "X-PrettyPrint:1"But if I try the same format with the Community licensed user, I get the error "invalid_grant", I'm assuming because the community system doesn't allow the user/password flow to be used. So how do I switch to Web Server, or can I with just cURL?
curl -v https://test.salesforce.com/services/oauth2/token -d "grant_type=password" -d "client_id=3MVxxxxxxxxxxxxxxxxxxxxxQde" -d "client_secret=67xxxxxxxxxx56" -d "username=dxxxx@test.sandbox" -d "password=Wxxxxx1" -H 'X-PrettyPrint:1'
All pertinent advice and help appreciated - thank you!
- Yes, it is possible. The profile of the Community licensed user needs to have the Systems Permissions "API Enabled" checked, and I have also added to the Apex Class Access list the classes used for the web services, as well as adding the Connected App to the profile's Assigned Connected Apps list (so that I can have have the Connected App set to auto-authenticate). Note that for this usage (web service only access) I also set the "API only" System Permission and removed all of the others.
- cURL doesn't seem as easy for testing Web Server flow as using the axiom heroku app for OAuth 2.0 (https://axiomsso.herokuapp.com/OAuth2WebFlowTester.action), since a redirect or callback URL is required and by using the heroku app a stable one is provided automatically that can be set in the Connected App.
- The URL to use is the base Community URL, with none of the extra bits that the Chatter API and other docs reference. You also do not have to create a custom login as some posts indicate.
So that's what we used for an OAuth 2.0 Web Server flow. I'm still considering using a JWT flow as this seems to offer the option of having the login confirmed upfront so that the servers can communicate without human intervention.All Answers
I added the OpenID and basic info scopes to the Connected App and gave it time to refresh. Then I started up the Heroku OpenID Connect app used in the Demystifying OAuth and Connected Apps (https://www.youtube.com/watch?v=dNB_FRw7mEs&t=456s) video and tried it out. First, when I tried using the Community licensed user, it wouldn't even let me login for authorization, it just rejected the user/pw as if it was incorrect, but when I logged in the same test.salesforce.com domain on another browser window with the same user/pw, it logged in fine. So I tried my admin id instead just to see if it worked. I got the authorization dialog, approved and proceeded to the next step, fetching the OpenId info. This failed also, with the error:
HTTP/1.1 400 Bad Request Date: Thu, 09 Nov 2017 17:11:41 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: upgrade-insecure-requests Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private Set-Cookie: BrowserId=TIDFCYKUSNaDdO7U5WsSog;Path=/;Domain=.salesforce.com;Expires=Mon, 08-Jan-2018 17:11:41 GMT;Max-Age=5184000 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: BrowserId=TBzQlo2zSLuA0OPN4TS5lA;Path=/;Domain=.salesforce.com;Expires=Mon, 08-Jan-2018 17:11:41 GMT;Max-Age=5184000 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked { "error": "invalid_client", "error_description": "invalid client credentials" }In Salesforce, Connected Apps OAuth Usage, I see the auth connect, but usage is zero. Any ideas? Anyone?
So that is working, but still when I try to log in with the Community licensed user id, it just acts like the user/pw is incorrect. No other error, it just won't let me login. I'm wondering now if a JWT flow might be a better fit.
- Yes, it is possible. The profile of the Community licensed user needs to have the Systems Permissions "API Enabled" checked, and I have also added to the Apex Class Access list the classes used for the web services, as well as adding the Connected App to the profile's Assigned Connected Apps list (so that I can have have the Connected App set to auto-authenticate). Note that for this usage (web service only access) I also set the "API only" System Permission and removed all of the others.
- cURL doesn't seem as easy for testing Web Server flow as using the axiom heroku app for OAuth 2.0 (https://axiomsso.herokuapp.com/OAuth2WebFlowTester.action), since a redirect or callback URL is required and by using the heroku app a stable one is provided automatically that can be set in the Connected App.
- The URL to use is the base Community URL, with none of the extra bits that the Chatter API and other docs reference. You also do not have to create a custom login as some posts indicate.
So that's what we used for an OAuth 2.0 Web Server flow. I'm still considering using a JWT flow as this seems to offer the option of having the login confirmed upfront so that the servers can communicate without human intervention.I tried the same, but i am getting,
Error validation tokens
angular-oauth2-oidc.umd.js:1537 Wrong issuer: https://adfasdf-niagara.cs87.force.com/