OAuth 2.0 Username-Password Flow In Salesforce
You can use the username-password flow to authorize a client via a connected app that already has the user’s credentials. However, we recommend avoiding this flow because it passes credentials back and forth. Use it only if there’s a high degree of trust between the resource owner and the client, the client is a first-party app, Salesforce is hosting the data, and other grant types aren’t available. In these cases, set user permissions to minimize access and protect stored credentials from unauthorized access.
Here are the major steps involved in the username-password flow.
- The connected app requests an access token by sending the user’s login credentials to the Salesforce token endpoint.
- After verifying the request, Salesforce grants an access token to the connected app.
- The connected app can use the access token to access the protected data on the user’s behalf.
Request an Access Token
To request an access token, the connected app sends the user’s username and password as an out-of-band POST to the Salesforce token endpoint. , This POST is an example.
grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword
Include these credentials in the POST.
| PARAMETER | DESCRIPTION |
|---|---|
grant_type | The OAuth 2.0 grant type that the connected app requests. The value must be password for this flow. |
client_id | The consumer key of the connected app. To access the consumer key, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details. You’re sometimes prompted to verify your identity before you can view the consumer key. |
client_secret | The consumer secret of the connected app. To access the consumer secret, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details. You’re sometimes prompted to verify your identity before you can view the consumer secret. |
username | The username of the user that the connected app is imitating. |
password | When using the username-password flow with an API, create a field in the username and password login screen where users can enter their security token. The security token is an automatically generated key that must be added to the end of the password to log in to Salesforce from an untrusted network. Concatenate the password and token when passing the request for authentication. |
format | If not included in the request’s header, you can specify the expected return format. The format parameter takes precedence over the request’s header. The following formats are supported.urlencodedjson (default)xml |
Salesforce Grants an Access Token
After the request is verified, Salesforce sends a response to the client.
{"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P",
"issued_at":"1278448832702",
"instance_url":"https://yourInstance.salesforce.com/",
"signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=",
"access_token":"00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW19ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs",
"token_type":"Bearer"}Note:- The username-password flow generates access tokens as Salesforce Session IDs that can’t be introspected. This flow doesn’t support scopes or refresh tokens. Experience Cloud sites don’t support the OAuth 2.0 username-password flow.