Salesforce OAuth Flows -Which one to choose Series (User-Agent Flow- Part 3)

In continuation of Part 2, Part 1.

This flow is recommended when you build a mobile or desktop app that anyone can use. In this case, it's not safe to keep a global secret within the app because everyone can access its source code, making the secret vulnerable to exposure.

Now, let's talk about a way to handle logins in such apps, especially when you want an external system to log in using someone's Salesforce credentials. This process involves the external app passing only the client ID, prompting the user to log in to Salesforce, and then approving the external app to access specific Salesforce data.

Here's how it works:

• The external app initiates the login process by sending the client ID. The user is then redirected to the Salesforce login page, where they authenticate themselves. Once logged in, they approve the external app's access, granting it an access token and refresh tokens.
• The neat part is that the external app can use the refresh token to get a new access token when the old one expires, without bothering the user to log in again. This process is known as the user-agent authentication flow.
• In simple terms, the external app gets the access token through a redirect. It asks the authorization server to redirect the user to another web server or a local resource. The server then extracts the access token from the response and passes it back to the app. This method ensures security by providing the token in a hash fragment (#) on the URL, preventing it from being exposed to servers or other sources.

Important Points to Remember:

• When deciding on the appropriate authentication method, it's essential to carefully consider the User-Agent Flow. In the Salesforce environment, this approach has been in use for quite some time and is favored over creating a custom alternative, particularly for Mobile SDK apps.
• It's crucial to be aware of potential security vulnerabilities associated with the User Agent Flow.
• There are complications, especially in cross-domain scenarios, when third-party cookie support is disabled or retired.
• The current recommendation from the Internet Engineering Task Force (IETF) advises against using this flow.

Conclusion

1. The Implicit Grant Flow is commonly used in mobile or desktop applications such as Data Loader, Salesforce 1, and Mobile SDK apps.
2. Client apps running on devices or in browsers use this flow to acquire an access token.
3. The tokens are delivered to the client app through a 'hash fragment' attached to a URL. This mechanism is integral to the user-agent flow.
4. This flow assumes by default that partner applications cannot be trusted, hence you should use this flow when your partner application cannot protect the client secret issued by Salesforce's connected app.