+ Start a Discussion
Randy RoseRandy Rose 

rest apex security best practices

We've have created plenty of REST Apex classes and access them using OAuth 2.0 using Web Server Flow (cosumer secret, consumer key, etc.)

However, we're in the process of creating our first REST Apex class that a 3rd party partner will have access to.

Since our current APEX REST classes are used by our own client applications  (hosted on our servers), we feel they're secured.

My question is what is considered best practice to allow a 3rd party partner to use a new APEX REST class?  This class will return back one opportunity record (JSON)

My thinking is to continue to use OAuth 2.0 and do the followng
1. Create new Connected App
2. Set connected app to read only 
3. Add IP Restriction
4. Provide partner consumer secret/key

Is this sufficient or is their a better secured way?
NagendraNagendra (Salesforce Developers) 
Hi Randy,

Here are the possible bits you could configure making it more secure:
  1. Connected App (OAuth 2 Web server flow)
  2. Scopes control
  3. IP Restriction
  4. Profile Setting
  5. ConnectedApp handler (Own custom keys)
  6. Mutual Authentication (Client certificate)
You already have covered most of the items and John gave bit extra details about Profile setting.

In addition to that, ConnectedApp handler could be used to verify some extra parameters, being passed in the flow, to make sure that request is coming from the correct partner if connected app keys are compromised. You can put your own logic there at Salesforce end.

Also, you could use Mutual Authentication for Inbound API calls, to provide additional security by passing client certificate along with the request. This allows secure server-to-server connections initiated by a client using client certificate authentication and means that both the client and the server authenticate and verify that they are who they say they are.

Hope this helps.