You need to sign in to do that
Don't have an account?
bluecap
Custom Rest Service and Access to data via API
Hello,
Ive created a custom REST webservice within Salesforce.com. This webservice will be consumed by users from a 3rd Party website that register on that site with their Salesforce.com credentials. I would like to allow users to consume my custom webservice but do not want to give them free reign of all data they own via the Salesforce.com APIs in the process. This is due to the sensitivity of some of the information that we do not want to provide via the custom web service. So I could use some advice on how best to accomplish this, here's what I have done so far..
1. Ive created a Connected App that uses OAuth for authentication and allowing the following scopes..
What steps do I need to perform to make sure the users only have access to the REST service and not all data?
Thank you for your help. All suggestions are appreciated!
I have created a Connected App so that the
Ive created a custom REST webservice within Salesforce.com. This webservice will be consumed by users from a 3rd Party website that register on that site with their Salesforce.com credentials. I would like to allow users to consume my custom webservice but do not want to give them free reign of all data they own via the Salesforce.com APIs in the process. This is due to the sensitivity of some of the information that we do not want to provide via the custom web service. So I could use some advice on how best to accomplish this, here's what I have done so far..
1. Ive created a Connected App that uses OAuth for authentication and allowing the following scopes..
- Access your basic information (id, profile, email, address, phone)
- Perform requests on your behalf at any time (refresh_token, offline_access)
What steps do I need to perform to make sure the users only have access to the REST service and not all data?
Thank you for your help. All suggestions are appreciated!
I have created a Connected App so that the
There is another route you could take to expose a custom REST endpoint through a Force.com site that is publicly available. In this way you can circumvent OAuth and instead use parameters in the HTTP request as an authentication method as you'll probably want to have some sort of method to verify that the person requesting to read/write to the database should have access. The Force.com Site will have a ghost user profile generated where you can set specific CRUD access and FLS settings as well. Here is some more information:
https://developer.salesforce.com/blogs/developer-relations/2012/02/quick-tip-public-restful-web-services-on-force-com-sites.html
No, I haven't had a chance to play with that yet. Have you actually verified that the users are able to access their Salesforce data from the 3rd party service via the app? I believe if you haven't granted them 'full' or 'api' access within the OAuth settings then you should be okay. Also, be sure that when you test API access from the 3rd party site you aren't simultaneously logged into Salesforce directly.