2

One of ways to get an access_token to use with SFDC Rest Api is to use the Username and password flow, where you use both of these to get an access_token.

Its documented here: https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Obtaining_a_Token_in_an_Autonomous_Client_.28Username_and_Password_Flow.29

In what scenario would we use this. I mean asking the user of password is odd.

Obaid
  • 131
  • 1
  • 5
  • 1
    How else do you expect to log a user in to another secure site without their credentials if you don't already have them? – crmprogdev Apr 01 '16 at 12:46
  • 1
    @crmprogdev there are other OAuth flows such as the Web server flow & the user agent flow that do not explicitly require username & password. I just wanted to know the scenario when the username & password flow would be used which sfdcfox answered below. – Obaid Apr 02 '16 at 11:19

1 Answers1

6

The username-password flow is only intended for development. It is insecure and should never be used for a production application. As this help topic helpfully warns:

This OAuth authentication flow involves passing the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token will be issued.

Note that you do not get a refresh token, meaning once your current access tokens expire, you have to ask the user for their credentials again, or store the credentials locally, which is definitely not a good idea in case the storage is compromised.

If you want apps that can persist a session beyond a short time window, and you want to mitigate the damage that can be caused if the device is compromised or stolen, use another flow, such as the client flow or web server flow.

Using this flow during development means you don't have to engineer an entire OAuth2 flow, which can involve setting up a WebView or other browser container; this flow can allow you to log in using just a few lines of code, which is perfect for development purposes.

If you use the username-password flow, that means a compromised device means the user has to reset their password and potentially update that change in numerous places, while a compromised device using the client flow can simply be deactivated with no further interruption to the user's other sessions.

sfdcfox
  • 489,769
  • 21
  • 458
  • 806
  • 1
    So, if I want my WordPress site to be able to push info to Salesforce (without asking for a login, because the visitor of my site won't know it), I need to build a Force.com site and use the APEX Rest service? – Matthew Aug 12 '17 at 07:57
  • @Matthew not necessarily. You could write a module to use OAuth; the user you log in as would act as a proxy for the WP site. Or you might use an Inbound Email Handler, and send emails to Salesforce. There's a number of possible options that might work for you. It really depends on what data you want, and how you want to do it. – sfdcfox Aug 12 '17 at 11:48
  • Hey, could you expand on the OAuth module approach? Can you point me in the direction of documentation or a tutorial? Thank you for all your help; I really appreciate it! – Matthew Aug 14 '17 at 06:18
  • @sfdcfox I was thinking exactly the same as Matthew, if you want a public form/push information into salesforce, and the people who are submitting this form doesnt have any salesforce credentials, or if they do but you want to bypass the auth login screen? will this be (user-pass flow) the only option? with the other flows it seems that all of them requires to submit credentials – manza Jan 30 '20 at 04:29
  • @manza The username-password flow also requires submitting credentials--insecurely at that. It is the least secure way to login to Salesforce. If you need "anonymous" access, use Site.com, or a Community, or an Inbound Email Handler, or one of the many AppExchange apps that can build forms and handle the security for you. There's many alternatives available, but the Username-Password Flow is specifically meant for developers to test an app, and nothing else. – sfdcfox Jan 30 '20 at 05:17
  • @sfdcfox probably i shouldt have used the example of a form, in my particular case I have a webservcie which i have enable thourgh a site, however, I notice that using Datacloud.FindDuplicatesResult[] doesnt work with the new security upgrade coming in spring 20, so sometimes it is not about a form but a way to receive straight information, I am guessing in this case JWT flow is the only way, but i have not found a good example of this set up from start to end – manza Jan 30 '20 at 05:55