[SalesForce] Using the Rest API using HTTP basic authentication without a connected app

I have been trying to find the different ways to authenticate to use the REST API and I have so far found that OAuth 2.0 is the only way to do it.
As I understand it, you need to have registered a connected app to obtain the client_id and client_secret to authenticate using OAuth.

Is there any way to authenticate and use the API without a connected app?
For example, using HTTP basic authentication? I know this is less secure than OAuth workflow; but I would like to know if this is possible.

Thanks.

Best Answer

yes its is possible without using OAuth.

Endpoint : https://www.salesforce.com/services/Soap/u/22.0

Method : POST

Body :

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:partner.soap.sforce.com">
 <soapenv:Header/>
 <soapenv:Body>
 <urn:login xmlns="urn:partner.soap.sforce.com">
 <urn:username>username</urn:username>
 <urn:password>password+Sectoken</urn:password>
 </urn:login>
 </soapenv:Body>
</soapenv:Envelope>

Headers :

Content-Type : text/xml

SOAPAction : ""

try this one using postman, you will get session Id and use this session id to call other REST Services

Related Solutions

[SalesForce] Possible Username-Password OAuth Authentication Flow security issues

Answering your questions in order:

In the interactive web server/user-agent flows, the user submits their credentials directly to Salesforce, and the app receives the short-lived access token and, optionally, a long-lived refresh token. The refresh token is scoped to that application, and may be revoked by the user or an admin at any time, without any impact on other applications. The admin can even set policy for refresh tokens, choosing to invalidate them after some period of inactivity etc. This is not true of username/password - the user shares their Salesforce credentials with the application. If, at a later time, the user decides that they do not trust that app, they needs to change their password at Salesforce, and update any other apps that might be holding the username and password.
The app is responsible for safely handling and, possibly, storing those credentials, which have much wider scope than the refresh token. It's not that the username/password flow is less secure than the interactive flows, it's that the responsibilities of the app are much greater, and the consequences, if the app does not fulfill those responsibilities, more severe.
They are not sent as URL parameters, but posted as application/x-www-form-urlencoded data - see this article.

I would advise you to consider one of the interactive flows, and store the refresh token, or even JWT Bearer Token flow, where the app creates a signed token, rather than username-password, which should be considered a last resort, when no other option is available.

[SalesForce] How to retrieve connected app using metadata API

Maybe somebody needs the code which creates connected app.

MetadataService.MetadataPort service = createService();
MetadataService.ConnectedApp connectedApp = new 
MetadataService.ConnectedApp();

connectedApp.label = 'Test 005';
connectedApp.fullName = 'Test_005';
connectedApp.contactEmail = 'email@email.com';

MetadataService.ConnectedAppOauthConfig oauthConfig = new 
MetadataService.ConnectedAppOauthConfig();

oauthConfig.consumerKey = 'yourConsumerKey';
oauthConfig.consumerSecret = 'yourConsumerSecret';
oauthConfig.scopes = new List<String>{'Basic', 'Api', 'Web', 'Full'};
oauthConfig.callbackUrl = 'https://www.google.com/';

connectedApp.oauthConfig = oauthConfig;

List<MetadataService.SaveResult> results = service.createMetadata(new 
MetadataService.Metadata[] { connectedApp });

Best Answer

Related Solutions

[SalesForce] Possible Username-Password OAuth Authentication Flow security issues

[SalesForce] How to retrieve connected app using metadata API

Related Topic