+ Start a Discussion
drcrawfodrcrawfo 

OAuth - Alternative to username-password flow

I have a bit of a strange use case for OAuth that I am trying to overcome. I'm developing a mobile application that will be used by non-salesforce users. I want the app to record usage information and send the data back to my salesforce account. I need the app to be able to authenticate without the end-user inputing any credentials (they don't have a salesforce account, the data is being sent to my account). I think the only OAuth flow that would work would be username-password flow, where I would hardcode my username and password into the application. This isn't very secure, and I will run into a problem if I ever change my password. Is there any other OAuth flow that would allow me to do what I need?

 

Forgive me, I'm very new to OAuth and I've read all the guides trying to find a solution that will work but have come up short. Any help is much appreciated.

Best Answer chosen by Admin (Salesforce Developers) 
SuperfellSuperfell

You can go through oauth yourself to generate the refresh token, then put that in your app, similar to the approach of embeding your username & password, but without the downsides of the password.

 

Alternatively you could use sites to expose an API endpoint that is unauthenicated that your app can use to send data to your org.

All Answers

JLA.ovhJLA.ovh
drcrawfodrcrawfo

Thanks for the link. I already looked into the refresh token flow but I don't think it will work. From the link you posted: 

 

This is only done after the consumer already has received a refresh token using either the Web server or user-agent flow.

 

 I can't use the Web server or user-agent flow because that would require the end user to enter salesforce credentials.

 

I'm beginning to think what I'm trying to do goes against what OAuth is all about, and it may not be possible to do.

SuperfellSuperfell

You can go through oauth yourself to generate the refresh token, then put that in your app, similar to the approach of embeding your username & password, but without the downsides of the password.

 

Alternatively you could use sites to expose an API endpoint that is unauthenicated that your app can use to send data to your org.

This was selected as the best answer
drcrawfodrcrawfo

Generating a refresh token manually and putting it into the app worked perfectly. Thank you very much for the help.

mk2013mk2013

Hi,

can you please expalin a bit more on how to generate refresh token manually?

 

I have a use case where, any user who is authenticated on CAS server and who belongs to a particular organization, we want to be able to log him in to salesforce programmatically. Is it possible to do any such thing? I already have a login example where I can login in a user when I have their username and password. But in this case each user has to havea security token to use along with teh password. Can there be a SINGLE token used for one organization so that we can log the users in without going through their individual SF tokens?

 

Thanks,

 

AdminBoosterAdminBooster

Not answering exactly your question, but to avoid the security token, if the user has to connect from the corporate network, you can whitelist the IP in the user profile configuration.

bhbh
Hi Simon, can you elaborate a bit on how to do this? point me in the right direction? thanks,