What is difference between user agent flow, web server flow and Username-Password OAuth Authentication Flow in Salesforce? - Forcetalks

Tagged: Authentication in Salesforce, Authentication Protocol, oAuth, User Agent Flow, Web Server Flow

Salesforce® Discussions

What is difference between user agent flow, web server flow and Username-Password OAuth Authentication Flow in Salesforce?

Posted by Uday on September 11, 2017 at 10:55 AM

In Salesforce, what is the difference between user agent flow, web server flow and Username-Password OAuth Authentication Flow?

Shaharyar replied 8 years, 8 months ago 2 Members · 1 Reply
1 Reply

Shaharyar

Member
September 13, 2017 at 12:06 PM
- Web server flow (In OAuth spec terms, Authorization Code Grant) tends to be used for web applications where server-side code needs to interact with Force.com APIs on the user’s behalf, for example DocuSign:Tokens are sent directly from the Authorization Server to the OAuth Client app, providing a high level of security.
- Username-Password flow (Resource Owner Password Credentials Grant) can be used for testing, or for apps that operate non-interactively, such as legacy integrations, without a user to actively give authorization:
  $ curl -d ‘grant_type=password&client_id=3MV_CLIENT_ID&client_secret=1234&username=user@example.com&password=password’ \
  https://login.salesforce.com/services/oauth2/token
  
  {
  “id”:”https://login.salesforce.com/id/ORG_ID/USER_ID”,
  “issued_at”:”1385271368428″,
  “instance_url”:”https://na15.salesforce.com”,
  “signature”:”Vcz4TlGBQJCwJzNtH3AHT/kUFLM4N/sFrJODX2ZNuyE=”,
  “access_token”:”00D_ACCESS_TOKEN”
  }
  
  Username-password is generally discouraged and should be used only where no other alternative is available, due to the inherent problems with passwords.
- User-Agent flow (Implicit Grant) tends to be used for mobile or desktop applications, for example Salesforce1 or Mobile SDK apps:Tokens are returned to the Client app via a ‘hash fragment’ on a URL.

Log In to reply.