For anyone who is as stuck and frustrated as I was, I’ve left a detailed blog post on the entire process (with pictures and ranty commentary!). Click the link if you want that: http://www.calvinfroedge.com/salesforce-how-to-generate-api-credentials/ Here is a text only answer: Step 1: Create an account. You can create a (free) developer account at developer.salesforce.com Step … Read more
Here are my thoughts: The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server. On the other side, implicit grant flow is for clients that are implemented entirely using javascript and are running in resource owner’s browser. … Read more
Background: I’ve written client and server stacks for OAuth 1.0a and 2.0. Both OAuth 1.0a & 2.0 support two-legged authentication, where a server is assured of a user’s identity, and three-legged authentication, where a server is assured by a content provider of the user’s identity. Three-legged authentication is where authorization requests and access tokens come … Read more
TL;DR If you have very simple scenarios, like a single client application, a single API then it might not pay off to go OAuth 2.0. On the other hand, if there are lots of different clients (browser-based, native mobile, server-side, etc) then sticking to OAuth 2.0 rules might make it more manageable than trying to … Read more
We are actively working on OAuth support for IMAP connections to O365 mailboxes. We will make a public announcement once the same is available.
Seems like best thing to do is to just always have userId=”me” in your requests. That tells the API to just use the authenticated user’s mailbox–no need to rely on email addresses.
It looks like you’re using the Resource Owner Password Credentials OAuth 2.0 flow e.g. submitting username/pass to get back both an access token and refresh token. The access token CAN be exposed in JavaScript, the risks of the access token being exposed somehow are mitigated by its short lifetime. The refresh token SHOULD NOT be … Read more
A lot of the difficulty in implementing OAuth comes down to understanding how the authorization flow is supposed to work. This is mostly because this is the “starting point” for logging in, and when working with a third-party backend (using something like Python Social Auth) you are actually doing this twice: once for your API … Read more
You should reuse the access token you get after the first successful authentication. You will get an invalid_grant error if your previous token has not expired yet. Cache it somewhere so you can reuse it.
You shouldn’t design your application based on specific lifetimes of access tokens. Just assume they are (very) short lived. However, after a successful completion of the OAuth2 installed application flow, you will get back a refresh token. This refresh token never expires, and you can use it to exchange it for an access token as … Read more