OAuth 2.0 Web Server Flow for Web App Integration in Salesforce
To integrate an external web app with the Salesforce API, use the OAuth 2.0 web server flow, which implements the OAuth 2.0 authorization code grant type. With this flow, the server hosting the web app must be able to protect the connected app’s identity, defined by the client ID and client secret.
Here’s an example use case for implementing the web server flow.
- A Help Desk user clicks the Order Status web app.
- The connected app posts an authorization code request to the Salesforce authorization endpoint.
- The user is redirected to the Salesforce login page. After a successful login, the user is asked to approve the app’s access to order status data.
- After the user approves the Order Status app to access the data, Salesforce sends a callback to the Order Status app with an authorization code.
- The Order Status app passes the authorization code to the Salesforce token endpoint, requesting an access token.
- Salesforce validates the authorization code, and sends back an access token that includes associated permissions in the form of scopes.
- The Order Status app sends a request back to Salesforce to access the order status data. The request includes the access token with associated scopes.
- Salesforce validates the access token and associated scopes.
- The Order Status app can access the protected data, and the customer’s order status is displayed in the app
NOTE:- If the access token becomes invalid, the connected app can use a refresh token to get a new access token.
Let’s take a closer look at each step of this authorization flow: