Client Credential Flow

-
Client Credentials Flow is simple and easy authentication mechanism which Salesforce has newly introduced in Spring 23. This flow comes handy when you want to connect your app to Salesforce APIs outside the context of any particular user

What does the Client Credential Flow brings to the table?

- Consumer key and secret becomes the client credentials
- Eliminates the need for explicit user credential sharing
- More secure alternative to the OAuth 2.0 username password flow


How client credential flow is more secure and easy to maintain than username password flow?

There are two primary reasons which makes the client credential flow more secure
1. To get the access token, explicit user credentials are not required thus, encapsulates the user context
2. Client Id and Client Secret are comparatively long and random

As the explicit user context is not known to third party application thus, it makes the integration dynamic and easy to maintain.

Suppose, we have an integration which use username password flow. So, to get access token one has to pass client id, client secret, grant type, username and password. If the user is no longer part of the organization then new user credentials needs to be shared with third party. However, if the integration is using client credentials flow, no explicit user creds are shared and user context can be easily changed from the connected app without impacting the integration.



How to enable Client Credential Flow in org?

1. To use client credentials flow, a connected app is required. In new or existing connected app check the Enable Client Credentials Flow checkbox under API (Enable OAuth Settings)


2. In the connected app policies specify Run As user under Client Credentials Flow section




What can be done if you feel like client key and client secret is compromised?

Connected app provides a way to generate new client id and secret and allows you apply those new credentials to update in connected app.

                             


Thanks for your time to go through the post, hope it helps!

Popular posts from this blog

Create File versions from Apex

-
Image
In Lightning Experience, Salesforce Files unifies your files, documents, and libraries into a single place for easier management. Files can be created from different places like Lightning Components, LWC and integrations i.e. via apex. In majority scenarios, the requirement is around creating a file and associating it with some sObject record.  Below script can be to create a file in Salesforce. HttpRequest req = new HttpRequest () ; req.setEndpoint ( 'https://images.pexels.com/photos/2052217/pexels-photo-2052217.jpeg?auto=compress&cs=tinysrgb&dpr=1&w=500' ) ; req.setMethod ( 'GET' ) ; HttpResponse res = new Http () .send ( req ) ; if ( res ! = null ) { Blob imageBlob = res.getBodyAsBlob () ; String fileName = 'Ssshhh' ; // Creates the contentversion and implicitly creates content document ContentVersion cv = new ContentVersion () ; cv.Title = fileName; cv.PathOnClient = fileName
Read more

Run as different user in Apex

-
Yes, you read it right; running apex as different user who has higher access levels than logged in user is now possible in Salesforce using Platform Events . Platform events are executed as  Automated Process user . Processing records in system mode or async apex like  batch jobs are the commonly used workarounds for this. However there are few use cases where these workarounds can not help. We are going to see one of such use case. Use Case: If event is created with attendees then, only organizer can edit the event. This is standard Salesforce behavior. And there is business requirement that, attendees should be able to update few fields on event. Solution: Lets first analyze what is event with attendees means. Whenever a event is created with attendees, Salesforce creates separate events for organizer and attendees. These events are linked to each other, any update to organizer event is propogated to all attendee events automatically.  For organizer event IsChild is set to false an
Read more

Creating JKS certificate for JWT Bearer flow in Salesforce

-
JWT stands for Json Web Token. Salesforce supports JWT for authentication however, JWT should be signed using RSA SHA256 algorithm. This algorithm needs private and public key for signature. OpenSSL can be used to create private and public key and the same can be converted to specific certificate format. You can get OpenSSL here . Creating self-signed certificate: Below is the consolidated list of OpenSSL commands to create a self signed certificate. Generate a private key openssl genrsa -des3 -passout pass:<Password> -out server.pass.key 2048 openssl rsa -passin pass:<Password> -in server.pass.key -out server.key Generate a certificate signing request using the server.key file. A challenge password would asked with other information. Keep the passwords same to avoid certificate corruption. openssl req -new -key server.key -out server.csr Generate a self-signed digital certificate from the server.key and server.csr files openssl x509 -req -sha256 -days 365 -in server.csr -
Read more