[SalesForce] OAuth2 Connected Apps getting ClientID and Secret

I've got OAuth2 working in a small project using JSForce(fantastic library). I can authenticate and all seems to work fine. The problem is, how does this work on a large scale? The app I am planning will be hosted on node.js on Heroku.

Using JSForce, you have to hardcode in the clientID and secret.

var jsforce = require('jsforce');

//
// OAuth2 client information can be shared with multiple connections.
//
var oauth2 = new sf.OAuth2({
  // you can change loginUrl to connect to sandbox or prerelease env.
  // loginUrl : 'https://test.salesforce.com',
  clientId : '<your Salesforce OAuth2 client ID is here>',
  clientSecret : '<your Salesforce OAuth2 client secret is here>',
  redirectUri : '<callback URI is here>'
});

If I plan on deploying an app that can work from the app exchange, how do you go about getting the clientID and secret into the app that is hosted on Heroku? Would I need another step prior to the actual OAuth2 flow that sends these over to my Heroku app?

I assume that since these values are hardcoded, you can't simply use the same ones for multiple orgs.

Best Answer

Oauth works for all the orgs .

Once you have client Id and client secret ,your org with connected app can connect to any of other salesforce instances .

It need not be specific to your org .Almost all apps run on the same principal .Its common misconception that it is org specific .

Related Solutions

[SalesForce] What’s the benefit of the client secret in OAuth2

OAuth2, uses the client secret mechanism as a means of authorizing a client, the software requesting an access token. You might think of it as a secret passphrase that proves to the authentication server that the client app is authorized to make a request on behalf of the user.

An app requesting an access token has to know the client secret in order to gain the token. This prevents malicious apps that have not been authorized from using the tokens from ever obtaining a valid access token. It doesn't state anything about authenticating a user, but it's instead for authorizing an app to request access tokens.

You shouldn't confuse authorization with authentication. Users are authenticated (proven that they are whom they say they are), while apps are authorized (the app is allowed to use or access the resources). The client secret protects a service from given out tokens to rogue apps. This client secret must be protected at all costs; if the secret is compromised, a new one must be generated and all authorized apps will have to be updated with the new client secret.

Client secrets aren't used in other types of flows, because of the sensitive nature of the client secrets. For example, you must not use them in JavaScript or desktop applications, both of which can be decompiled, examined, source code viewed, debugged, etc. Servers are theoretically safe from prying, so the client secret is less vulnerable than it is on a desktop app, etc.

[SalesForce] Why Am I getting invalid_client_credentials with Web Server OAuth Flow

Found the problem! I had a typo in my token request. It should have been "client_secret" instead of "secret". so it should be:

request.AddParameter("application/x-www-form-urlencoded", 
            $"grant_type=authorization_code&code={code}&client_id={ClientId}&client_secret={Secret}&redirect_uri={AuthCallback}", 
            ParameterType.RequestBody);

Related Topic