• gscott
  • NEWBIE
  • 25 Points
  • Member since 2007

  • Chatter
    Feed
  • 1
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 3
    Replies

Last week I built a quick prototype to test the new Winter '10 OAuth feature for authenticating users.  I wrote up some of my lessons learned in a blog post that you may find interesting if you are implementing this feature in your applications.  The post also contains links to a few oauth related ideas on IdeaExchange that I would encourage you to promote if you are interested in this feature.  Here's the link:

 

http://www.rumbleware.com/blog/2009/10/authenticating-salesforce-com-apps-using-oauth/ 

 

Comments and feedback are welcome,

 

George

 

Message Edited by gscott on 10-27-2009 08:34 AM
  • October 27, 2009
  • Like
  • 0

Has anybody succesfully used OAuth for obtaining a sessionId for use with the API in Winter '10?

 

I've been able to get so far as to generate a valid OAuth access token, but I haven't yet been able to use that access token to get an API session id and I suspect the documentation may not be accurate or complete.

 

A few observations I've made: 

 

  • The documentation says the url is https://login.salesforce.com/services/OAuth/type/api-version.  Where type is "c" for the Partner WSDL and "u" for the enterprise WSDL.  This is the reverse of the normal SOAP API, and I assume it is a mistake, but can't verify since I can't get a session id.
  • The documentation says that "authorization header must have the following parameters" when referring to the request to obtain the session.  I take this to mean that one must use the Authorization HTTP header and not POST parameters to obtain the session id.  However, I've not had success with either.
  • If I do not use the authorization header and post the oauth parameters in the body, I get a response of LOGIN_OAUTH_INVALID_DSIG, indicating a bad signature.  Even though I'm using the same code to sign the request as I do for generating the request and access tokens.
  • If I instead use the Authorization HTTP header I get the error LOGIN_OAUTH_METHOD_NOT_SUPPORTED indicating I must use http POST, even though I already am.  Note, in this case the post body is empty.
 
If anybody has got this last step working it would be very helpful to know how you constructed the request.  Did you use the authorization header?  What were the contents of the POST?  Did you do anything special when generating your signature, in particular the generation of the OAuth Signature Base String and the key used for the signature (I'm using both the consumer and token secrets per the spec). 

 

Thanks,

 

George

 

  • October 22, 2009
  • Like
  • 0

Has anybody succesfully used OAuth for obtaining a sessionId for use with the API in Winter '10?

 

I've been able to get so far as to generate a valid OAuth access token, but I haven't yet been able to use that access token to get an API session id and I suspect the documentation may not be accurate or complete.

 

A few observations I've made: 

 

  • The documentation says the url is https://login.salesforce.com/services/OAuth/type/api-version.  Where type is "c" for the Partner WSDL and "u" for the enterprise WSDL.  This is the reverse of the normal SOAP API, and I assume it is a mistake, but can't verify since I can't get a session id.
  • The documentation says that "authorization header must have the following parameters" when referring to the request to obtain the session.  I take this to mean that one must use the Authorization HTTP header and not POST parameters to obtain the session id.  However, I've not had success with either.
  • If I do not use the authorization header and post the oauth parameters in the body, I get a response of LOGIN_OAUTH_INVALID_DSIG, indicating a bad signature.  Even though I'm using the same code to sign the request as I do for generating the request and access tokens.
  • If I instead use the Authorization HTTP header I get the error LOGIN_OAUTH_METHOD_NOT_SUPPORTED indicating I must use http POST, even though I already am.  Note, in this case the post body is empty.
 
If anybody has got this last step working it would be very helpful to know how you constructed the request.  Did you use the authorization header?  What were the contents of the POST?  Did you do anything special when generating your signature, in particular the generation of the OAuth Signature Base String and the key used for the signature (I'm using both the consumer and token secrets per the spec). 

 

Thanks,

 

George

 

  • October 22, 2009
  • Like
  • 0