We’ll look at several core OAuth flows relevant to Salesforce.
|User interaction||No user interaction|
|Authorisation Code + Secret (Web Server) |
Implicit Grant (User-Agent)
Authorization Code + PKCE
|JWT Bearer |
Intended audience: Architects, developers, security professionals and identity buffs.
For each flow we’ll cover:
- Sequence of steps
- Interesting characteristics
- Implementation considerations and trade-offs
- Secure HTTP channel for at least some of the communication
- Auth server provides client app for inbound integration
- Auth server client app configured with whitelist of acceptable redirect_uris (no pattern matching)
- Client aware of client_id from auth server’s client app
- Resources at client redirect_uris protect against XSS
- For mobile apps: App uses native device browser for authentication
||Context||Authorisation Code + Secret (Web Server)||
|Authorisation Code + PKCE|
|1||Enterprise app with secure server component authenticating to Salesforce||Good choice||Suboptimal||Suboptimal|
|2||Partner app with trusted server authenticating to Salesforce||Good choice||Suboptimal||Suboptimal|
|3||App built with Salesforce Mobile SDK||Bad choice||Good choice*||Suboptimal|
|4||Custom mobile app, Single Page Application (SPA) or desktop app authenticating to Salesforce (no client server)||Bad choice||Suboptimal||Good choice|
|5||Salesforce authenticating to an auth server||Good choice||Suboptimal||Suboptimal|
*Assuming default Mobile SDK methods used
||Context||JWT Bearer||SAML Bearer||Username-Password|
|1||Salesforce -> Auth. Server integration||Good choice||Suboptimal||Suboptimal|
|2||Client Server -> Salesforce integration where client can easily construct a JSON web token||Good choice||Suboptimal||Suboptimal|
|3||Client Server -> Salesforce integration where client can easily construct and encode an XML format SAML assertion||Suboptimal||Good choice||Suboptimal|
Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.
He is a active blogger and founder of Apex Hours.