+ Start a Discussion
raj kiranraj kiran 

User-Agent OAuth Authentication Flow CORS

Hi All,

We are using the User-Agent OAuth Authentication Flow so that vendors can insert the data from thier internal/exteranal sites  buy using simple insert rest api endpoint call using javascript/ajax calls. 

we have shared the sample endpoint for authorization like 
https://login.salesforce.com/services/oauth2/authorize?response_type=token&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLJbP_pqwoJYyuisjQhr_LLurNDv7AgQvDTZwCoZuD
ZrXcPCmBv4o.8ds.5iE&redirect_uri=https%3A%2F%2Fwww.mysite.com%2Fuser_callback.jsp&
state=mystate 
 
so vendors would call the above endpoint and grant authorization like accept/reject pop getting displayed in thier front end screens for first time call,On sucessfully redirection. the screen gets redirect to redirect url mentioned in connected app. 
we have mentioned that redirect url as www.vendordoamin.page/sfdc.jsp. where sfdc.jsp is the page where user submited the date from. so when user authorizes via pop, the sfdc authorization servers should respond back with access token.  
Once the access token is received vendor should store the access through out the request and should use the same to insert the custom lead data via standard rest url generated via workbench. 

If incase the access token is expired , the request should be made to below url to get new token

POST /services/oauth2/token HTTP/1.1
Host: https://test.salesforce.com/
grant_type=refresh_token&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0
QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=111111111121111
&refresh_token=your token here

We have used this apporach so that we can share authorize endpoint and code, simple authorization inputs from front end user when submitting data, and then system inserting data to sfdc.
(we want this simple approach so that many other vendor can simple insert our rest api code and can insert data)

Since the vendors are unable to test or help us with sfdc support I am bangging my head to replicate this cors issue in sfdc side. like 


Now for the problems
-- for the first time vendors were able to authorize
-- they got access token, however the second time for refreshing acess tokens they are getting CORS errors and unable to proceed further.
-- how do  i actually replicate the issue ? i had minimum expeirence in java web apps, but developing java based web app like using jsp, 
tomcat and rest webservice is only the way to replicate the cors issue? 
-- there are many sample codes but using maven/jaxb/some other rest api in eclipse /configuring buildpath is all hell for me.
-- Is there any other way to test  User-Agent OAuth Authentication Flow ??
-- if testing only via creation java project etc can anyone share any sample code/ eclipse configurtaion.


** already whitelisted  vendors domain in CORS option in saleforce.
Asif Ali MAsif Ali M
Hi Raj,

Verify the CORS entry again. The domain should be same in CORS and Callback URL. If you omit the www in CORS but have in callback url then you will get CORS error.

follow this steps to replicate
  1. setup sfdc.jsp in your local machine with https (https://localhost/sfdc.jsp)
  2. Create a new connected app with a callback url https://localhost/sfdc.jsp
  3. Add a CORS entry for https://localhost
  4. Now change the client_id/redirect_uri in sfdc.jsp (assuming you have connected app info in sfdc.jsp)
  5. then run https://localhost/sfdc.jsp

Let me know if this helps.