Your OpenFin integration with Salesforce depends in part on authorizing your app to make requests to the Salesforce REST API. Salesforce implements the OAuth 2.0 specification for authorization. This page explains how it works and what your app must provide to support authorization.
The Salesforce Web Server OAuth Flow implements the Authorization Code with PKCE flow (Proof Key for Code Exchange - pronounced Pixy). This flow provides secure authorization without needing a client secret, which can't be stored securely on a client-side web app like most OpenFin apps.
The first time the OpenFin
connect function is called, a child window is created that sends a request to the Salesforce authorization endpoint that starts the OAuth flow. Depending on the scopes your app requests from Salesforce, the user may be prompted to log in to Salesforce, after which they are asked to authorize access to the requested data. The window includes a list of the scopes or permissions the app requests. After the user provides authorization, Salesforce sends an authorization code, which your app exchanges for an access token and a refresh token that it stores in local storage. Finally, the promise returned by the
connect function resolves with a
Access tokens are valid for a short period of time, so if an access token is expired, a refresh token is used to request a new access token without prompting the user for authorization. If a new access token request fails (for example, if the refresh token has expired), then the promise is rejected with an
AuthorizationError and the
connect function must be called again to take the user through the authorization flow.
Updated 10 months ago