Apex Code Development You need to sign in to do that
Don't have an account?
cfaherty OAuth 2.0 User-Agent Flow token and SFDC UI
I am implementing OAuth 2.0 User-Agent authentication flow in my Android app and after a test run I realized that I cannot use the token to access chatter photos or web UI.
I see that this limitation is documented here https://na3.salesforce.com/help/doc/en/remoteaccess_oauth_user_agent_flow.htm
"access_token
—Salesforce session ID that can be used with the Web services API. This session ID cannot be used in the Salesforce user interface. Treat this like a user's session and diligently protect it."
My problem is, that is the entire nature of my application.. which is a combining of native code using Soap API and embedded webviews using the web UI.
So am I stuck using the old username/password+secretkey authentication, or is there some trick to using an OAuth2 token for web UI?
OAuth tokens are scoped to API use only. This is by design, since the user's authorization grant gives the client permission to access data on behalf of the user, not to effectively impersonate the user at the web site.
Are there any plans to change this? One use case that this really inhibits is a mobile app that wants to utilize Visualforce as the UI. The oAuth authentication model makes the end-user experience nice because the end-user only has to grant access once. Once they do, they expect the app the just connect for them.
Apps that want to utilize Visualforce and a tool like jQuery Mobile or Sencha UI are at a loss when using oAuth because the user cannot be brought to those pages if connected via oAuth.
The way it's currently setup, Salesforce is telling developers not to use Visualforce and re-build UIs in the apps themselves. However, using Visualforce would be great because it allows push upgrades to happen without any user intervention and doesn't require a re-assessment by Apple, for example, for a new version. Also, Visualforce uses Apex and all of the code for the mobile app would be securely scanned, tested and be accessible by Salesforce from a security standpoint. Seems like a win win to me.
If an oAuth session could be brought to a VF page (perhaps managed packages on AppExchange get a special privelage?) it would allow an app to exist on a device that is essentially wrapping a web UI. The app would be primarily authentication and then lets Visualforce/Apex do the rest.
People wants apps on their devices rather than web bookmarks. OAuth makes authentication easy. Salesforce just needs to allow this use case access to mobile Visualforce pages.
Please consider it.
Thank you for your support of this feature. I have developed a mobile application which is similar to what you have described. The capability to wrap VF pages is basic functionality which is done within salesforce's own mobile applications. I am attempting to do the same within my third-party application.
I had hoped to use the OAuth 2.0 authentication to support API and embedded Visual Force pages, but I cannot, and this makes things awkward because as a third-party I must regretfully use user/pass encrypted storage.
Notice also that this limitation prevents the use of OAuth 2.0 for retrieving user photos for use within third-party Chatter applications.