Menu
Events

Username and password flow
Username and password flow

Username-Password Flow

Allows the client to authenticate using the user’s username and password and a protected secret. Use the username-password authentication flow to authenticate when the consumer already has the user’s credentials. Avoid using this flow because you have to send a username and password unencrypted to Salesforce.

Table of contents

Additional requirements

  • The client must securely manage client secret AND plain text passwords
  • Transmission channel and auth. server request handling must not expose the password.

What else to know

  • High-security risk:
    • Simple text passwords exposed to multiple systems & channels
  • No opportunity for multi-factor authentication
  • Prior user approval not checked (unlike JWT / SAML assertion bearer flows)
  • Current IETF recommendation – do not use this flow

OAuth 2.0 Username and Password Flow

  • Use the user name-password authentication flow to authenticate when the consumer already has the user’s credentials.
  • Avoid using this flow because you have to send user-name and password unencrypted to Salesforce.
  • Use this flow only when there is no way to connect by using other available flows.
  • Salesforce communities don’t support the OAuth 2.0 user-name-password authentication flow.
  • In this flow, an external app or client sends client_id,client_secret, user name, and password in the POST request.
  • The security token must be added to the end of the password to log in to Salesforce from an un-trusted network. Concatenate the password and token when passing the authentication request.
  • No refresh token is issued.

Recording

Considerations for Choosing username-password flow

  • High risk of password exposure
  • No authorization, so:
    • There is no mechanism to track users who have authorized / not authorized
    • No opportunity to include multi-factor authentication
  • Consider only when:
    • Entities are part of the same system (not relevant to Salesforce) OR
    • As a last resort when no other OAuth flow is possible, and there is complete trust between systems and transport mechanisms.

Tags
Share your love
Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 483

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *