5

What is the best way to get Session ID or oAuth Access Token, without having to use password in Apex Code (or) in custom settings (or) Named Credentials?

Will one of the oAuth flows work in this case? (obviously username-password flow cannot be considered since it involves passing the password as part of URL)

Here's the use case i am trying to achieve:

  • I am trying to call the MetaData api of salesforce using the metadata api wrapper available on GitHub. Using this i am trying to find out, metrics like number of custom fields, number of test classes, number of classes etc.
  • This process should run in a scheduled batch apex job. In order to call metadata api, i need to pass the sessionid. I used UserInfo.GetSessionID in my batch apex class but that doesn't work as per my research and also tried it.
  • The other option is to call the login service to get the session id or access token, which i can further use to make subsequent calls to metadata api. All the research i did points mostly to articles where the REST api is called to get access token by using connected app credentials, but all of these involve passing password as an attribute to get the access token.
  • So i figure oauth is better way to go and am basically trying to find out the best way(oAuth flow) to get access token without needing to use a Salesforce User's password. And any helpful articles for the same to build this.
Cloud Man
  • 1,347
  • 1
  • 10
  • 21
  • This question sounds awfully like an x-y problem. Could you please [edit] your question, state what you're trying to do, and why the solutions you've already rejected are not viable? With a larger picture, we can give you a better answer. – sfdcfox Jul 05 '16 at 23:51
  • @sfdcfox Just added now. – Cloud Man Jul 06 '16 at 00:03

1 Answers1

6

1. OAuth 2.0 Flow

To authenticate you also have option to show Salesforce login screen for user authentication.

There will be just bit of modifications in the http callouts.

When you request for access token using URL 'https://login.salesforce.com/oauth_callback?code=<value-you-got-in-prev-callout>&state=<whatever_you_sent_in_step_2>' do not make http callout instead redirect user to that url, After successfully logging in you will get access token and refresh token that you can use further.

Reference : https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com

2. OAuth 2.0 Refresh Token Flow

If you are using a Scheduler/Batch class then the best way would be to authenticate the org before starting the job and then storing the refresh token in a custom setting. Then in each batch execution you can use the refresh token to get a valid access token. This is way much better way than storing the user name and password.

If you really don't want to use a custom setting to store the refresh token it could be passed in as a parameter.

OAuth 2.0 Refresh Token Flow

3. Using Session Id

Check this old question : She is also tring to authenticate from Scheduler. How to get UserInfo.getSessionId() in Scheduler/Batch

Community
  • 1
Ishwar Mete
  • 1,492
  • 9
  • 19
  • But i want to get this access token in a batch apex job. So no user interaction can be involved. – Cloud Man Jul 06 '16 at 00:18
  • @SF Ninja, Check the point 2 in the answer – Ishwar Mete Jul 06 '16 at 00:26
  • Thanks for updating the answer. I had seen that post before, but i thought the drawback is, that it is governed by session timeout value. So if session timeout is set to 30 min and job is scheduled to run greater than 30 min (in my case 1 week), then it won't work. But let me double check since it is not obvious in that post. – Cloud Man Jul 06 '16 at 00:35
  • 1
    @SFNinja refresh tokens last indefinitely. Access tokens are the one with limited duration. Your batch would start by requesting a new access token, then doing all the callouts you want. – sfdcfox Jul 06 '16 at 01:32
  • @sfdcfox - doesn't a request for a new access token always require a user login? I thought a batch could only request a new refresh token since no user interaction is needed for that. – David Cheng Jul 11 '16 at 19:09
  • 1
    @DavidCheng No, refresh tokens always require a browser interaction (and therefore, user interaction). Access tokens can be obtained from a refresh token, which is how programs like Salesforce1 and Chatter maintain perpetual access to a user's account, even after the user closes the app, even if they don't come back to it for a few days. – sfdcfox Jul 11 '16 at 19:18