Toggle Side Panel
Close search

Activity Forums Salesforce® Discussions What is difference between user agent flow, web server flow and Username-Password OAuth Authentication Flow in Salesforce?

Tagged: , , , ,

  • Shaharyar

    Member
    September 13, 2017 at 12:06 PM
    • Web server flow (In OAuth spec terms, Authorization Code Grant) tends to be used for web applications where server-side code needs to interact with Force.com APIs on the user's behalf, for example DocuSign:Tokens are sent directly from the Authorization Server to the OAuth Client app, providing a high level of security.
    • Username-Password flow (Resource Owner Password Credentials Grant) can be used for testing, or for apps that operate non-interactively, such as legacy integrations, without a user to actively give authorization:

      $ curl -d 'grant_type=password&client_id=3MV_CLIENT_ID&client_secret=1234&username=user@example.com&password=password' \
      https://login.salesforce.com/services/oauth2/token

      {
      "id":"https://login.salesforce.com/id/ORG_ID/USER_ID",
      "issued_at":"1385271368428",
      "instance_url":"https://na15.salesforce.com",
      "signature":"Vcz4TlGBQJCwJzNtH3AHT/kUFLM4N/sFrJODX2ZNuyE=",
      "access_token":"00D_ACCESS_TOKEN"
      }

      Username-password is generally discouraged and should be used only where no other alternative is available, due to the inherent problems with passwords.

    • User-Agent flow (Implicit Grant) tends to be used for mobile or desktop applications, for example Salesforce1 or Mobile SDK apps:Tokens are returned to the Client app via a 'hash fragment' on a URL.

Log In to reply.

Popular Salesforce Blogs

Popular Salesforce Videos