Hi manim,

The Chatter REST API uses OAuth2 to handle authentication and authorization. OAuth2 allows an end-user to authenticate themselves and authorize that a client application be given access to protected data. Client applications access the Chatter REST API using an access token assigned to them.

You can definitely use an existing salesforce login account for accessing the chatter REST API. Take a look at the "web server flow" described here: https://login.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm

Using this strategy, your web application can redirect an end-user to log into their Salesforce account on a Salesforce web page. Then your web application can retrieve the resulting "authorization code" and exchange it for an "access token" from Salesforce. The access token can then be associated with the user's web session, and you can drop it when the session expires. Note that an access token may also be revoked by an end-user through the "personal information" Setup page on Salesforce.

Cheers!

Thanks for detailed explanation.I went through the material you mentioned.

We have a requirement where chatter data needs to be fetched on regular interval and needs to be achieved without any manual intervention.

For e.g. I will have one saleforce account dedicated for this functionality which will be used for automatically logging in andfetching the data and displaying on the web page.

I deployed sample web application given on saleforce and I was able to get  an access token .

I did following to achieve this:

•  Register web application from setup-->dev--->manage remote application
• Get consumer key and consumer secret key
• Update servlet to have this keys as an init parameter

Is there any way this can be automated?

I don't think I entirely understand your question. I do not think that making a new remote application can be automated. You only have to do it once anyways.

If you log into the Salesforce account through OAuth you can get an access token and a refresh token back. Then your application can use the access token repeatedly until it expires, when it can automatically use the refresh token to get a new access token. Therefore you only really need to log in once in order to get the initial access and refresh tokens. If you wanted, you could add an "admin setup page" of a sort to your application such that an admin could come in and do the OAuth login once, to get the initial tokens, which could then be stored in a database or config file for use from the main application.

Thanks for reply.

I will try making my requirement clear.

I want to show chatter data on home page of my web application.This data will be fetched by daemon thread which will automatically login and pull data out of chatter using REST api.



I have some doubts here

1.Is remote web application registration needs to be done only once?

2.What is the validity of access token? If access token needs to be generated only once I will hard code it in my code.

As per your explaination token can be refreshed after expiration.Is this a manual process or there is any API exposed?

I think the strategy I described should work for you. The Salesforce user logs in once, then when your application makes the successful exchange of the authorization "code" for the access and refresh tokens, your application could automatically store the access/refresh tokens in a place that your daemon can access, then it could tell the daemon to start.

Remote web application registration only needs to be done once for your organization. Registering a web application establishes metadata such as the consumer key, consumer secret, and callback URL. If your applications are doing OAuth in a safe way (such as making sure that the secret is only used by trusted software on trusted systems, and is never stored some place unsafe like an end-user's phone) then you should have no need to register a new application.

The access token is an opaque value used by an authorized application to identify itself to the Chatter REST API. It is safer to use an access token than to hardcode the login credentials of a user into your application. This is because the access token may be revoked at any time by the user through their Salesforce Setup page if they suspect foul play.

Access tokens have a limited lifetime. Your daemon can request a new access token using the refresh token in an HTTP request as described here: https://login.salesforce.com/help/doc/en/remoteaccess_oauth_refresh_token_flow.htm No user interaction is required.

Thanks very much .

I will make the changes in my web application as per your suggestion and let you know how it works .

Thanks again.

Alternatively, since this is a pure server-to-server integration use case, if your server is secure, you could just hardcode the username and password into your application and use the simpler username and password flow: https://login.salesforce.com/help/doc/en/remoteaccess_oauth_username_password_flow.htm Generally this flow is not advised, but in a server-to-server situation it may be an option.