REST API and OAuth2 implementation in Salesforce platform support powerful and convenient web services API for excellent interaction with external app and salesforce. Rest API also uses same underlying datamodel as those in SOAP API. For secured interaction with third party app, Salesforce enforces authentication process. As the part of authentication process users need to store or cache their username or password, instead the mechanism introduces where access is granted via tokens. To authenticate a user, either of these three approaches can be considered based on the type of application being designed and the level of user interactivity

  1. Webserver Flow : Consumer key is protected by server
  2. User-Agent Flow: It is utilized by apps, they will not store consumer secret securely.
  3. Username-password Flow: App has right to access credentials directly.

After successful authentication process user application will be granted an access token, with which that can perform REST API functions.

Connected App for OAuth

To perform OAuth in salesforce, you must create Connected App in salesforce. A Connected App can be visualized as an intermediate authentication layer between Salesforce data model and the client application. Steps for creating sample Connected App in salesforce is available in following link Once a Connected App is configured in Salesforce, we will get a consumer key and a consumer secret for OAuth implementation in the client application.

OAuth Endpoints in Salesforce

These are URLs used to make OAuth authentication request


Token Request:

Shown below is the web server OAuth Authentication Flow

From the figure steps 1-3 can be implemented in c# program as shown below

Gain authorize code by passing Consumer key and consumer secret

After execution of this code you will get Authorization code, now by using this authorization code, consumer key and consumer secret you will be able to get the Access Token. With the aid Access token you can perform REST API functions.

Access Data from salesforce using REST API with Access Token

The above shown codebase can be used to get Account details from your Salesforce Account.

Note: You do not need to store or cache your credentials, instead of that you just need to pass the consumer secret and consumer key of Connected app. Make sure that these are not hardcoded in your website/app’s source code or config file. Also please make sure not to encrypt and store your access token for improved security.

Salesforce Communities

Author : Sulfikar Nasar Date : 10 Mar 2014