[SalesForce] OAuth2 Refresh Token Flow with Communities

I'm trying to satisfy a requirement for providing an API for communities users, where they can log into Salesforce, retrieve some data, and provide that back to a client. I have two questions around this that are related.

1) Can Salesforce Communities users log in with OAuth2 and the refresh token flow?

I found the following contrary point, but it is for username / password flow and not the refresh token flow: https://salesforce.stackexchange.com/questions/19121/should-oauth2-with-grant-type-password-work-for-high-volume-customer-portal

2) And a follow up to the above question: Can the OAuth login page be branded?

Best Answer

Yes, Communities users can use OAuth 2.0. Instead of login.salesforce.com, Use the Community URL as the prefix to the authorization URL - for example, https://acme.force.com/customers/services/oauth2/authorize. See the section Configuring Authentication Flows with OAuth in Getting Started With Communities.

Yes, the Community login page can be branded. See the section Customizing Communities Login in the same doc.

Related Solutions

[SalesForce] Should OAuth2 with grant_type “password” work for “High Volume Customer Portal” users

OAuth username-password for Portal/Communities users is not possible.

The usual approach to authenticating users to Salesforce in a mobile app is to pop up a webview with the OAuth user agent login URL and watch for the final redirect to the 'success' URL. I got this working with the PhoneGap ChildBrowser plugin a while ago; things have changed a lot in PhoneGap since then, but that shows the general approach.

On the other hand, if you REALLY want to do username/password, you can do SOAP login against the portal using LoginScopeHeader.

In general, the web-based login is preferred, since it will handle SSO from enterprise identity providers, Facebook, Google etc.

[SalesForce] OAuth 2.0 username-password flow: Is the access token long lived

You should check the operation response and handle any exception. If the response is an 401 containing this JSON:

[ { message: 'Session expired or invalid'
  , errorCode: 'INVALID_SESSION_ID'
  }
]

, you could call a refresh_token flow like this :

enter image description here

However, you only get the refresh token from the Web server and User-Agent as is indicated here.

If the application uses the username-password OAuth authentication flow, no refresh token is issued, as the user cannot authorize the application in this flow. If the access token expires, the application using username-password OAuth flow must re-authenticate the user.

So, I think that after login using user-password flow, you should re-authenticate the user or change the flow.

Refresh Token

The refresh token may have an indefinite lifetime, persisting until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server. Since refresh tokens may expire or by revoked by the user outside the control of the client application, the client must handle failure to obtain an access token, typically by replaying the protocol from the start.

I recommend you to read this article of digging deeper into OAuth in force

Best Answer

Related Solutions

[SalesForce] Should OAuth2 with grant_type “password” work for “High Volume Customer Portal” users

[SalesForce] OAuth 2.0 username-password flow: Is the access token long lived

Related Topic