Client Secret?

[justechn]

I am trying to adapt your code to work with my REST API, and I am stuck at getting the refresh token. According to this page https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Obtaining_an_Access_Token_in_a_Web_Application_.28Web_Server_Flow.29 after getting the access token I need to do a grant_type=authorization_code to get the refresh token and I need to pass in the client_secret, but I don't see anywhere in your code that you are using this. Can you help me understand what you are doing differently?

Thanks

[justechn]

Ok, I think I understand a little better, It looks like you are using the User-Agent workflow found a little further down the page https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Obtaining_an_Access_Token_in_a_Browser_or_Native_Application_.28User-Agent_Flow.29 however in the docs it says the user-agent workflow is suppose to return a redirect_token, but I don't get one, and your code does not seem to handle one coming back from the original response_type=token authorization. So when I try and query salesforce I get a 401 error. I followed your code and I call grant_type=refresh_token, but I get a 400 error back. I assumed this was because I was not passing the client secret, but now I see that is not required. So what could be causing the 400 error? I don't get any kind of message with it.

[justechn]

ok, now I see this in the docs

Note that refresh_token is only sent if either of the following is the case: The redirect URI has a custom (non-https) scheme The redirect URL is exactly https://login.salesforce.com/services/oauth2/success, or on Force.com Sandbox, https://test.salesforce.com/services/oauth2/success.

Why would they send a refresh token to a non-https url, but not to a https url?

[oscartcy]

Sorry but I want to repoen this issue. I am hosting a node.js page outside Salesforce. Using user-agent flow in ForceTK does not return refresh token after auth as mentioned by @ryanmc2033 Every time when I refresh the page it requires me to authorize the app again and again because client browser did not store the refresh token.

I think I should use web server flow in my use case. Will ForceTK support this workflow too? At this moment I don't think ForceTK support hosting the page outside Salesforce.

[metadaddy]

@oscartcy Yes, you should use web server flow. You will need to code the flow up yourself (it isn't difficult - a redirect and a post), but you could then render the access token in the Node.js page for JavaScript to use it with ForceTK. You would also have to think about refreshing the access token when it expires.

[oscartcy]

OK, thanks. Just in case if I have implement the web-server flow, I may send a pull request.

[oscartcy]

@metadaddy-sfdc According to my understanding, although User-Agent flow does not provide refresh token to external host, it is still a valid and secure way to authorize web app on Heroku right?

I think the difference between web serve flow and user-agent flow is the existence of refresh token. If I use user-agent flow in my case users have to login again when session time out right? When should I use each flow? Could you suggest any criteria which can guide me to choose between them?

[metadaddy]

User-Agent flow will give you a refresh token, but only for redirect URLs with a custom scheme or the special URL https://login.salesforce.com/services/oauth2/success, or on a sandbox, https://test.salesforce.com/services/oauth2/success.

I wrote a guide to choosing your flow on this StackExchange answer: http://salesforce.stackexchange.com/questions/21090/differences-between-oauth-web-server-flow-user-agent-flow-username-password-fl/21114#21114

See also https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com

[oscartcy]

@metadaddy-sfdc Thank you for your prompt reply. Your guide clarify my understanding on those OAuth flows. We have the following senario. Our web app hosting on Heroku and it does not require server-side interaction with SFDC, does it mean that both web server flow and user agent flow suit our needs? Any further criteria to choose between them?

[metadaddy]

Use the web server flow - that way you'll get a refresh token. The server-side interaction is very straightforward - just a post.

[oscartcy]

@metadaddy-sfdc So the user agent flow is really for desktop/mobile app only but not webapp? Am thinking about what would be the cons for our webapp to follow the user agent flow - we are planning to integrate with SFDC API on the client side but not server side.

Once again thank you for your help.

[metadaddy]

The con for a web app using user agent flow is no refresh token, so the user has to login every time.