Working with Salesforce authorization

Your OpenFin integration with Salesforce depends in part on authorizing your app to make requests to the Salesforce REST API. Salesforce implements the OAuth 2.0 specification for authorization. This page explains how it works and what your app must provide to support authorization.

The Salesforce Web Server OAuth Flow implements the Authorization Code with PKCE flow (Proof Key for Code Exchange - pronounced Pixy). This flow provides secure authorization without needing a client secret, which can't be stored securely on a client-side web app like most OpenFin apps.

For details, see the Salesforce documentation on OAuth 2.0 Web Server Flow for Web App Integration and the IETF standard for PKCE.

How it works with your app

The first time the OpenFin connect function is called, a child window is created that sends a request to the Salesforce authorization endpoint that starts the OAuth flow. Depending on the scopes your app requests from Salesforce, the user may be prompted to log in to Salesforce, after which they are asked to authorize access to the requested data. The window includes a list of the scopes or permissions the app requests. After the user provides authorization, Salesforce sends an authorization code, which your app exchanges for an access token and a refresh token that it stores in local storage. Finally, the promise returned by the connect function resolves with a SalesforceConnection object.

Refresh tokens

Access tokens are valid for a short period of time, so if an access token is expired, a refresh token is used to request a new access token without prompting the user for authorization. If a new access token request fails (for example, if the refresh token has expired), then the promise is rejected with an AuthorizationError and the connect function must be called again to take the user through the authorization flow.