+ Start a Discussion
Mike LeachMike Leach 

Managing OAuth Users in Sites

Lot's a great stuff came out of Dreamforce '09 about OAuth. In addition to vendors promoting OAuth on the expo floor, the Hackathon encouraged mash-ups using OAuth to integrate Salesforce with Facebook and Twitter.


But once a Facebook or Twitter identity is authenticated, how is the session to be maintained in Force.com Sites across page views?


A cookie seems like the obvious choice, but the AppExchange certification security review team has stringent guidance on use of cookies in apps.


Apex does not support cookies server-side, so is there a best practice for managing OAuth users in Sites that can be used in apps published to the AppExchange?






I don't think there's a way to read/write a cookie from Apex code.   


What would be ideal is if you could store this on a field of the User object.   You can't do this with Sites, but you could this with a Portal user (either customer portal or partner portal). 


You'll need to store the token that you are given at the end of the OAuth process. You then need to pass this token to the provider anytime that you need to communicate. Google has a nice flow diagram of the process: http://code.google.com/apis/accounts/docs/OAuth.html.


You can't store this token against the user, but you could create a custom object, and make that a child object of the user object.