[SalesForce] rest apex security best practices

We've have created plenty of REST Apex classes and access them using OAuth 2.0 using Web Server Flow (consumer secret, consumer key, etc.)

However, we're in the process of creating our first REST Apex class that a 3rd party partner will have access to.

Since our current APEX REST classes are used by our own client applications (hosted on our servers), we feel they're secured.

My question is what is considered best practice to allow a 3rd party partner to use a new APEX REST class? This class will return back one opportunity record (JSON)

My thinking is to continue to use OAuth 2.0 and do the followng

Create new Connected App
Selected OAuth Scopes
Add IP Restriction?
Provide partner consumer secret/key

Is this sufficient or is their a better secured way?

Also, is there a way to use OAuth without having to give the partner a Salesforce user account? It would be ideal to just be able give the partner an endpoint to retrieve an access token and then use our Salesforce REST Apex passing the access token.

Best Answer

That's a great question.

You already have covered a lot of details in you question summary and looks like you are on right track.

Here are the possible bits you could configure making it more secure :

Connected App (oAuth 2 Web server flow)
Scopes control
IP Restriction
Profile Setting
ConnectedApp handler (Own custom keys)
Mutual Authentication (Client certificate)

You already have covered most of the items and John gave bit extra details about Profile setting.

In addition to that, ConnectedApp handler could be used to verify some extra parameters, being passed in the flow, to make sure that request is coming from the correct partner, if connected app keys are compromised. You can put your own logic there at Salesforce end.

Also, you could use Mutual Authentication for Inbound API calls, to provide additional security by passing client certificate along with the request. This allows secure server-to-server connections initiated by a client using client certificate authentication, and means that both the client and the server authenticate and verify that they are who they say they are.

Related Solutions

[SalesForce] Access rest service oauth

Check the login history for the user and make sure you are connecting to the right url TEST vs LOGIN.

I am willing to bet that the Security Token is being required and you are not appending that to your password

You should be doing: &password={PASSWORD}{SECURITYTOKEN}

I used your code and once I added the IP to the allowed ranges (or appended the security token) it was successful.

HttpRequest req = new HttpRequest();
req.setMethod('POST');
req.setHeader('Content-Type','application/x-www-form-urlencoded');
req.setEndpoint('https://login.salesforce.com/services/oauth2/token');
req.setBody('grant_type=password' + '&client_id=xyz' + '&client_secret=xyz' + '&username=un' + '&password=pw');
Http h = new Http();
HTTPResponse res = h.send(req);
System.debug('Body ' + res.getBody());
System.debug('Status ' + res.getStatus());
System.debug('Status code ' + res.getStatusCode());

results in:

15:00:19.37 (660162883)|USER_DEBUG|[8]|DEBUG|Body {"access_token":"xyz","instance_url":"https://xxx.my.salesforce.com","id":"https://login.salesforce.com/id/xx/xx","token_type":"Bearer","issued_at":"1493838019636","signature":"xx"}

15:00:19.37 (660248503)|USER_DEBUG|[9]|DEBUG|Status OK 15:00:19.37

(660399942)|USER_DEBUG|[10]|DEBUG|Status code 200

Digging Deeper into OAuth 2.0 on Force.com

An autonomous client can obtain an access token by simply providing username, password and (depending on configuration) security token in an access token request. Again the request is POSTed (1) to https://login.salesforce.com/services/oauth2/token, but the payload now has the form

grant_type=password&client_id=&client_secret=&username=&password=

The following parameters are required:

grant_type Set this to password.

client_id Your application's client identifier.

client_secret Your application's client secret. username The API user's Salesforce.com

username, of the form user@example.com.

password The API user's Salesforce.com password. If the client's IP address has not been whitelisted in your org, you must concatenate the security token with the password.

[SalesForce] UserInfo.getSessionID() or connected app with consumer key and secret for a rest resource within a same org

UserInfo.getSessionId() now works in asynchronous code as of Winter '19. The sandbox that it's currently failing in is most likely in Summer '18. Once your sandbox is upgraded, it should work as expected.

API calls sometimes require a session ID and a URL. You can obtain that session ID using the System.UserInfo.getSessionId() method. This method previously returned null in asynchronous Apex, but it now returns a value whether it’s run synchronously or asynchronously.

Best Answer

Related Solutions

[SalesForce] Access rest service oauth

[SalesForce] UserInfo.getSessionID() or connected app with consumer key and secret for a rest resource within a same org

Related Topic