Implement Username-Password flow (less secure)
- Step 1: Review security settings in your org
- Step 2: Create a connected app in Salesforce
- Step 3: Take note of the app’s Consumer Key and Consumer Secret
- Step 4: Get an access token from Salesforce
To start working with Financials via the Force.com REST API, you need to configure an authentication flow in your Salesforce organization. The authentication flow we’re going to set up in this topic is called OAuth 2.0 Username-Password Authentication Flow. It isn’t the most secure one, but it’s fastest to implement for demo purposes.
In a production environment we recommend that you implement a more secure authentication flow called OAuth 2.0 User-Agent.
For information about all authentication flows you can use with the Force.com REST API, see Understanding Authentication in the Force.com REST API Developer Guide.
Step 1: Review security settings in your org
Log on to your Salesforce org as an administrator and review the following settings:
-
Setup > Security > Session Settings
-
Setup > Security > Network Access
You may need to change certain settings such as trusted and restricted IP ranges to enable access to the org from your IP address. For details, see:
Step 2: Create a connected app in Salesforce
- Go to Setup > Apps > App Manager.
- Click New Connected App in the top right, and create a new app.
Configure the following options and keep the default values for other options:-
Connected App Name. Enter any descriptive name.
-
API Name. Enter any descriptive name.
-
Enable OAuth Settings. Select this check box.
-
Callback URL. Enter an HTTPS callback URL. Ensure that the URL doesn’t redirect to another website. If you’re automatically redirected from this URL to somewhere else, you won’t be able to configure the user-agent flow.
-
Selected OAuth Scopes. Add the required scopes. For the sake of demonstration, we’ll add Full access (full) and Perform requests on your behalf at any time (refresh_token, offline_access).
-
- Click Save.
Example connected app:
Step 3: Take note of the app’s Consumer Key and Consumer Secret
Once your app is created, take note of the Consumer Key and Consumer Secret of your app – you’ll need them later:
- Go to Setup > Apps > App Manager, locate your app, click the down arrow in the rightmost column, and select View.
The Consumer Key and Consumer Secret look similar to the following:
Step 4: Get an access token from Salesforce
To try out the steps in this section, install Postman and open the Postman collection we have prepared for you:
Download Postman Open Postman Collection
In the collection, open one of the following requests and replace variables with actual values:
- Get an access token from Salesforce - production
- Get an access token from Salesforce - sandbox/scratch org
WARNING: Before making any changes to your production organization in Salesforce, test them in a sandbox or scratch org first. For more information, see Develop with Sandbox and Quick Start: Using a Sandbox and Change Sets in the Salesforce Development Lifecycle Guide.
-
Configure your application to send one of the following POST requests:
- To get an access token for a sandbox or scratch org:
POST https://test.salesforce.com/services/oauth2/token
- To get an access token for a production org:
POST https://login.salesforce.com/services/oauth2/token
- To get an access token for a sandbox or scratch org:
-
Configure the request headers to include the following key-value pair:
Key Value Content-Type application/x-www-form-urlencoded -
Configure the request body to include the following key-value pairs:
Key Value grant_type password client_id {consumer key you copied in Step 2: Take note of your app’s key and secret} client_secret {consumer secret you copied in Step 2: Take note of your app’s key and secret} username {your Salesforce user name} password {your Salesforce password} - Send your request.
-
In the response body, locate and copy the values of the
access_token
andinstance_url
parameters. The parameter values looks similar to the following:"access_token": "00D0N000000h6Yq!AR0AQH8Q246.FAmlewZKdJYJ_O3y1ziq62BbR5Gj0yk9yznYqT.YDjz.rZzTZ0d8aLB9WR2EGz6.myY_Z.smrDiERcF7iKP0", "instance_url": "https://my-domain-1234.cs89.my.salesforce.com"
Append the
access_token
value to all subsequent HTTP requests your application sends to Financials via the Salesforce REST API. If your token expires, get a new access token by repeating Step 3: Get an access token from Salesforce.Use the
instance_url
value to compose the URLs for sending HTTP requests to Financials deployed in your Salesforce domain.For example:
GET https://my-domain-1234.cs89.my.salesforce.com/services/data/v44.0/queryAll?q=SELECT Id, Name FROM s2cor__Sage_COR_Company__c