Implement User-Agent flow (more secure)

• Step 1: Review security settings in your org
• Step 2: Create a connected app in Salesforce
• Step 3: Take note of the app’s Consumer Key and Consumer Secret
• Step 4: Get autorisation code for your app
• Step 5: Obtain an access token and a refresh token

The authentication flow we’re going to set up in this topic is called OAuth 2.0 User-Agent Flow. For information about all authentication flows you can use with the Force.com REST API, see Understanding Authentication in the Force.com REST API Developer Guide.

Step 1: Review security settings in your org

Log on to your Salesforce org as an administrator and review the following settings:

• Setup > Security > Session Settings

• Setup > Security > Network Access

You may need to change certain settings such as trusted and restricted IP ranges to enable access to the org from your IP address. For details, see:

• Salesforce Security Guide

• Difference between Network Access, Session Settings, and Profile-based IP restrictions

Step 2: Create a connected app in Salesforce

1. Go to Setup > Apps > App Manager.
2. Click New Connected App in the top right, and create a new app.
   Configure the following options and keep the default values for other options:

   • Connected App Name. Enter any descriptive name.

   • API Name. Enter any descriptive name.

   • Enable OAuth Settings. Select this check box.

   • Callback URL. Enter an HTTPS callback URL. Ensure that the URL doesn’t redirect to another website. If you’re automatically redirected from this URL to somewhere else, you won’t be able to configure the user-agent flow.

   • Selected OAuth Scopes. Add the required scopes. For the sake of demonstration, we’ll add Full access (full) and Perform requests on your behalf at any time (refresh_token, offline_access).

3. Click Save.

Example connected app:

Step 3: Take note of the app’s Consumer Key and Consumer Secret

Once your app is created, take note of the Consumer Key and Consumer Secret of your app – you’ll need them later:

• Go to Setup > Apps > App Manager, locate your app, click the down arrow in the rightmost column, and select View.

The Consumer Key and Consumer Secret look similar to the following:

Step 4: Get autorisation code for your app

1. In Postman, create the following GET request:

   

   • Request URL for a production org:

      https://login.salesforce.com/services/oauth2/authorize?response_type=code&display=popup&client_id={{ConnApp_ConsumerKey}}&redirect_uri={{ConnApp_CallbackURL}}
     

   • Request URL for a sandbox or scratch org:

      https://test.salesforce.com/services/oauth2/authorize?response_type=code&display=popup&client_id={{ConnApp_ConsumerKey}}&redirect_uri={{ConnApp_CallbackURL}}
     

   Replace the {{ConnApp_ConsumerKey}} and {{ConnApp_CallbackURL}} variables with the actual Consumer Key and Callback URL of your connected app, for example:

   

2. Click the down arrow beside Send and select Send and Download:

   

3. When prompted, save the response.html file.

4. Open the downloaded response.html file in a web browser.

5. When prompted, enter your Salesforce user name and password and allow access for your connected app.

6. When your callback URL opens in a web browser, copy the URL part after code=, for example:

   

   Replace %3D%3D at the end of the URL with ==, like so:

   aPrxYkXCmZcIH2yGSGKaIgsLoebmwZ9u_Z0aaBghAfvmAW.tNIMi5XYXhyc.Yo.tEHZhxaP56w==

   This is authorisation code for your connected app. Now you can use the code to obtain an access token and a refresh token.

Step 5: Obtain an access token and a refresh token

1. In Postman, create the following HTTP request:

   

   • Request URL for a production org:

      https://login.salesforce.com/services/oauth2/token
     

   • Request URL for a sandbox or scratch org:

      https://test.salesforce.com/services/oauth2/token
     

   Replace the following variables with actual values:

   • {{ConnApp_ConsumerKey}}. Consumer Key of your connected app.

   • {{ConnApp_Code}}. Authorisation code of your connected app.

   • {{ConnApp_ConsumerSecret}}. Consumer Secret of your connected app.

   • {{ConnApp_CallbackURL}}. Callback URL of your connected app.

2. Send the HTTP request.

The response will contain the access token you can use to authenticate against Salesforce and the refresh token with which you can refresh the access token when it expires:

{
    "access_token": "00D1t000000sRge!AQMAQFozbRR3ra2rtig1gZlD1WSePg25A_LhkgwzRTsM2O0Agb7e27VPU3y5Q",
    "refresh_token": "5Aep8610F.RUa2F48DCqTqE1S9v7wOrQW3Wou4vmWb.ywpHmWTH.AFPx1eAb6KYb6f3i_xe5Nvib",
    "signature": "iKdKwElLoRuMVvi9O2TxALFSMZwSQa07vYebeu+9R2c=",
    "scope": "refresh_token full",
    "id_token": "eyJraWQiOiIyMTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiYkNmMjgtbk1LMmNrS3hfLTdWdXFEdyIsInN1YiI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vaWQvMDBEMXQwMDAwMDBzUmdlRUFFLzAwNTF0MDAwMDAxd1A4YkFBRSIsImF1ZCI6IjNNVkc5ZlRMbUo2MHBKNUx0OVguY004NDB6TGZJS05lcG1iaU02WGluQVUzTzRLLmtQWGd0VG54RGRCTUNxS0xjQ3NRS1J2bzQxeDZ2NmZjMVlxbG4iLCJpc3MiOiJodHRwczovL2xvZ2luLnNhbGVzZm9yY2UuY29tIiwiZXhwIjoxNTQ3MTMwMTg4LCJpYXQiOjE1NDcxMzAwNjh9.YeOwaTnIdWZWeE3_JyJSMik5TWXf7IdndAp24jJev_mANcAf088qh_C44Wc0kK3ua86CvHUGtsfkVP3IcebyPU1sqHjgNPXLvgXRfCt-Al70ip5s30kcJZ_myAl6Ki7FCJr1CEn5UwUvicCrO25STJU4zJIcGRBSw-qkarmRihQ1CV9N1GMGdnVXCSudXYV5N1J9MM",
    "instance_url": "https://mydomain.salesforce.com",
    "id": "https://login.salesforce.com/id/000000000000/pfoaifobAAE",
    "token_type": "Bearer",
    "issued_at": "1547130068621"
}