OAuth Flow is a web authentication method that enables one user to authenticate in Salesforce in a secured way. In this post, I will demonstrate how to use Salesforce as identity provider for a Node.JS app hosted on Heroku.
Prerequisites
Before starting, there are few things to setup:
- An Heroku free account
- A Salesforce Sandbox
- A simple Node.JS app that I’ve developed for the purpose of the demo
https://github.com/sutha2k/authNodeSF/releases/tag/v1.1
Step 1
Now it’s time to open your Salesforce Developer Edition instance and create a new Connected App.
| Setting | Value |
|---|---|
| Setting | Value |
| Connected App Name | NodeHeroku Integration |
| API Name | NodeHerokuIntegration |
| Contact Email | integration@yourmail.com |
| Enable OAuth Settings | Checked |
| Use digital signatures | Not Checked |
| Callback URL | https:// <your heroku instance> /oauth2/success |
| scope | Access your basic information (id, profile, email, address, phone) , Perform requests on your behalf at any time (refresh_token,offline_access) |
| run as | Choose an integration user |
Save the new Connected App and wait a few minutes (2-10mn really it won’t work otherwise), and then copy the generated consumer key, consumer secret and callback url that will be used in next steps.
Step 2
Click on Manage and then edit policies and make sure you have the following options :
- Admin approved users are pre-authorized
- Enforce IP restrictions
Then Click on manage profile and Select System Administratror and whatever profile you need.
Step 3
Create or use your heroku account
https://id.heroku.com/login
Then create a new app:
Go to Settings and click on “Reveal Config Vars“:
Provide the following information from you Salesforce org by creating new config vars:
If you want to run the application locally, you will need to create a file named “.env” containing those key/value pairs and set the SERVER_ENV to “local“. The file should be placed at project level.
Step 4
Now it’s time to connect to your github repo with heroku, so you can commit and deploy your project directly:
Choose the repo containing the project and click on “Connect“. Alternatively, you can use Heroku Toolbelt to push local files.
Choose Manual deploy, select the branch you want and then click on “Deploy Branch“. Your github project will be then deployed to Heroku.
You can now click on “View” to open your running app on Heroku. You will get a simple page with the following message:
Welcome to Node.JS Auth with Salesforce
Step 5
You can now play with the available services.
First, get the authorization code. It will redirect you to Salesforce authentication page where you need to enter your login/password.
https://<your app>.herokuapp.com/oauth2/authorize
Once validated, you will be redirected back to Heroku where you can get the code:
{"code":"<returned code>"}
You can now get your access token and instance url:
curl --location --request POST 'https://<your app>.herokuapp.com/oauth2/token?code=<returned code>'
Be aware of encoding any special characters, you will get the response for using it with secured endpoints:
{
"instance_url": "<your salesforce instance url>",
"access_token": "<your access token>"
}
Alternatively, you can call the following endpoint to get the same response but it’s not recommended (just for testing purpose):
curl --location --request GET 'https://<your app>.herokuapp.com/oauth2/login?username=<your username>&password=<your password and token>'
You can now call a secured endpoint with your instance url and bearer:
curl --location --request GET 'https://<your app>.herokuapp.com/secured' \
--header 'instanceurl: <your SF instance url>' \
--header 'bearer: <your access token>'
The app will display:
Accessing secured resource
Step 6
Wondering how all is wired ? Here’s an explanation of the design I’ve chosen to implement:
Green paths are public to access non secured resources while red paths are protected and need user to be authenticated. Every time an user accesses a protected resource, the app will verify his identity by checking the validity of the provided token against Salesforce. If the token is still valid and user is recognized by Salesforce then the route will open otherwise he will get an access error. The green paths here allow user to get the token by identifying himself in Salesforce.
The Node.JS app uses some dependencies:
- Express : to enable webapps and routes
- JSForce : library to integrate with Salesforce authentication endpoints
- dotEnv : to enable environment variables
Conclusion
This was my first attempt to code a Node.JS app and I’m really happy to make it work for an interesting use case involving Heroku and Salesforce. There are lot of connectors in the market that you can use for enterprise level design and use cases, but here the goal was to achieve a small challenge.
Hope you enjoy reading this article, see you soon for the next one ...
Salesforce Secure Development Library 