function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Kelsey MartensKelsey Martens 

How to use OAuth2 user-agent flow without knowing the redirect_uri beforehand?

I'm currently working on creating a plugin which would allow its users to interact with their Salesforce accounts via REST API.
Since the code would be residing on end-user servers I cannot use the client_secret, so I figured that using the User-Agent flow is the thing I'm looking for.
The problem is, however, I cannot get the redirect to work, since I get a "redirect_uri_mismatch" error. It works if I specify the CallbackURL in my Connected App settings, but since this is a plugin that clients can install on their sites, I cannot know their URI's before hand.
Is it possible to allow any url to be a redirect_uri?
If not - what are my alternatives? I can't make the client secret safe.
buggs sfdcbuggs sfdc
if you are trying test the endpoint of your Rest API,this links may help you.
https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_curl.htm
https://developer.salesforce.com/forums/?id=906F0000000DEvGIAW
Kelsey MartensKelsey Martens
No, I am trying to get an access token using OAuth user-agent flow, but the request is going to come from many different URI's which I cannot know. Since I can't pass anything to the request_uri other than the URL's that I have specificly specified in my Connected App settings under "CallbackURL" - it makes it impossible to retreive said access token.

Is it possible at all? I have an open source plugin, which cannot contain Apps my client_secret since it would be visible to everyone.
Sergio AlcocerSergio Alcocer
I believe that salesforce decided, like many other platforms, to enforce this as a security measure, as someone could redirect / inject a hacked callback url to get the access token and do bad things with it.

My suggestion, make the plugin so the one that is installing it can setup a client_id, a client_secret and a their callback url.
You might want to consider leaving some instructions on how to create the connected app and how to get the callback.

By doing so, they will be able to make sure that only their plugin is getting access, etc.

Kind regards.
Kelsey MartensKelsey Martens
Thank you, that is what I'm going for now!