The steps for Web Server flow, Username-Password Flow, and User-Agent Flow are different, so which occasions are these three used in and how do I select any particular method for different applications. My guess is standalone applications suit Web Server Flow, browser or mobile applications suit for User-Agent Flow and Username-Password flow is used for testing purposes. Is that correct? Any different views?
Asked
Active
Viewed 1.0k times
1 Answers
45
- Web server flow (In OAuth spec terms, Authorization Code Grant) tends to be used for web applications where server-side code needs to interact with Force.com APIs on the user's behalf, for example DocuSign:
Tokens are sent directly from the Authorization Server to the OAuth Client app, providing a high level of security.
- User-Agent flow (Implicit Grant) tends to be used for mobile or desktop applications, for example Salesforce1 or Mobile SDK apps:
Tokens are returned to the Client app via a 'hash fragment' on a URL.
Username-Password flow (Resource Owner Password Credentials Grant) can be used for testing, or for apps that operate non-interactively, such as legacy integrations, without a user to actively give authorization:
$ curl -d 'grant_type=password&client_id=3MV_CLIENT_ID&client_secret=1234&username=user@example.com&password=password' \ https://login.salesforce.com/services/oauth2/token{ "id":"https://login.salesforce.com/id/ORG_ID/USER_ID", "issued_at":"1385271368428", "instance_url":"https://na15.salesforce.com", "signature":"Vcz4TlGBQJCwJzNtH3AHT/kUFLM4N/sFrJODX2ZNuyE=", "access_token":"00D_ACCESS_TOKEN" }
Username-password is generally discouraged and should be used only where no other alternative is available, due to the inherent problems with passwords.
- SAML Bearer Assertion Flow (SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants) is a better way for apps to obtain OAuth tokens without user interaction. The app obtains a signed SAML Assertion from an IAM system and exchanges it for the OAuth token.
- JWT Bearer Token Flow (JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants) is similar to SAML Bearer Assertion Flow, but uses a signed JSON Web Token rather than the SAML (XML) Assertion.
-
Can you suggest the practical use for each flow? – Shebin Mathew Nov 22 '13 at 19:31
-
I thought I did. – metadaddy Nov 22 '13 at 19:34
-
I mean examples – Shebin Mathew Nov 22 '13 at 19:44
-
I don't understand - do you mean actual applications, like 'Salesforce1', and 'DocuSign'? – metadaddy Nov 22 '13 at 19:55
-
yes exactly. More like chrome REST Console is user name password flow; A java application is Webserverflow etc. – Shebin Mathew Nov 22 '13 at 20:06
-
@ShebinMathew - how's that? – metadaddy Nov 24 '13 at 05:42
-
Which flow does the Facebook Auth Provider in Salesforce follow ? – techtrekker Jan 24 '14 at 14:47
-
1@techtrekker - the FB Auth Provider uses Web Server flow - you can try it out at https://authtest-developer-edition.na14.force.com/ – metadaddy Jan 24 '14 at 18:46