Choosing a Flow
Now that you’ve built a Customer Order Status connected app for Help Desk users, you need to implement a flow for the app. Since the connected app is integrating an external web service (the Customer Order Status website) with the Salesforce API, you want to use the OAuth 2.0 web server flow. This authorization flow uses the authorization code grant type. If you need a refresher on this OAuth 2.0 flow, you can look back at the Connected App Basics module.
Request an Authorization Code
To initiate the OAuth 2.0 web server flow, the Customer Order Status web service—via the connected app—posts an authorization code request (using the authorization code grant type) to the Salesforce authorization endpoint. An authorization code is like a visitor’s badge. With it, the connected app can prove that it’s been authorized as a safe visitor to the site, and it has permission to request an access token.
The call is made in the form of an HTTP redirect, such as the following.
https://mycompany.my.salesforce.com/services/oauth2/authorize?client_id=3MVG9IHf89I1t8hrvswazsWedXWY0i1qK20PSFaInvUgLFB6vrcb9bbWFTSIHpO8G2jxBLJA6uZGyPFC5Aejq&redirect_uri=https://www.mycustomerorderstatus.com/oauth2/callback&response_type=code
If you’re not familiar with these types of calls, don’t worry. Let’s break it down into its individual components.
Component 1
https://mycompany.my.salesforce.com/services/oauth2/authorize
This address is the Salesforce instance’s OAuth 2.0 authorization endpoint. It’s the endpoint where your connected apps send OAuth authorization requests.
Component 2
client_id=3MVG9IHf89I1t8hrvswazsWedXWY0i1qK20PSFaInvUgLFB6vrcb9bbWFTSIHpO8G2jxBLJA6uZGyPFC5Aejq
The client ID is the connected app’s consumer key. To access the consumer key, from the connected app’s Manage Connected Apps page, click Manage Consumer Details, and then verify your identity.
Component 3
redirect_uri=https://www.mycustomerorderstatus.com/oauth2/callback
The redirect URI is where users are redirected after a successful authorization. The redirect URI is the connected app’s callback URL, which you can also find on the connected app’s Manage Connected Apps page.
For your connected app, use the callback URL https://openidconnect.herokuapp.com/callback that you entered in Unit 1: Create a Connected App.
Component 4
response_type=code
The response type tells Salesforce which OAuth 2.0 grant type the connected app is requesting. The response type of code indicates that the connected app is requesting an authorization code.
Authenticate the User and Grant Access to the App
Before Salesforce provides an authorization code to the connected app, you need to authenticate yourself by logging in to your Salesforce org.
After successfully logging in, click Allow to authorize the connected app to access your Salesforce org’s data.
Receive a Callback
After you authorize the app, Salesforce sends a callback to the connected app with an authorization code.
https://www.mycustomerorderstatus.com/oauth2/callback?code=aPrx4sgoM2Nd1zWeFVlOWveD0HhYmiDiLmlLnXEBgX01tpVOQMWVSUuafFPHu3kCSjzk4CUTZg==
Component 1
The first part of the callback is the connected app’s callback URL.
https://www.mycustomerorderstatus.com/oauth2/callback
Component 2
The second part is the authorization code, approving the app.
code=aPrx4sgoM2Nd1zWeFVlOWveD0HhYmiDiLmlLnXEBgX01tpVOQMWVSUuafFPHu3kCSjzk4CUTZg==
Request an Access Token
Now that the connected app has a valid authorization code, it passes it to the Salesforce token endpoint to request an access token.
POST /services/oauth2/token HTTP/1.1Host: mycompany.my.salesforce.comContent-length: 307Content-type: application/x-www-form-urlencodedgrant_type=authorization_code&code=aPrxhgZ2MIpkSy0aOdn07LjKFvsFOis6RGcWXz7p8JQCjcqfed5NQLe7sxWwMY_JQFuLwHRaRA==&client_id=3MVG9IHf89I1t8hrvswazsWedXWY0iqK20PSFaInvUgLFB6vrcb9bbWFTSIHpO8G2jxBLJA6uZGyPFC5Aejq&client_secret=*******************&redirect_uri=https://www.mycustomerorderstatus.com/oauth2/callback
Let’s look at the individual components of this call, too.
Component 1
POST /services/oauth2/token HTTP/1.1Host: mycompany.my.salesforce.comContent-length: 307Content-type: application/x-www-form-urlencoded
The first two lines of this component are the POST request being made to the Salesforce instance’s OAuth 2.0 token endpoint. This endpoint is where your connected apps send access and refresh token requests.
The second two lines show the length and type of the request’s content.
Component 2
grant_type=authorization_code
The grant type defines the type of validation that the connected app can provide to prove it's a safe visitor. In this case, its providing an authorization code.
Component 3
code=aPrxhgZ2MIpkSy0aOdn07LjKFvsFOis6RGcWXz7p8JQCjcqfed5NQLe7sxWwMY_JQFuLwHRaRA
The authorization code is a temporary value that you get from the authorization server (Salesforce in this case). The connected app uses this code in exchange for an access token. This type of OAuth 2.0 flow is a secure way to pass the access token back to the application.
Component 4
client_id=3MVG9IHf89I1t8hrvswazsWedXWY0i1qK20PSFaInvUgLFB6vrcb9bbWFTSIHpO8G2jxBLJA6uZGyPFC5Aejq
This component should look familiar to you, too. It’s the connected app’s consumer key from the Manage Connected Apps page.
Component 5
client_secret=*******************
The client secret is the same as the connected app’s consumer secret. You access the consumer secret the same way you access the consumer key. From the Manage Connected Apps page, click Manage Consumer Details, and then verify your identity.
Component 6
redirect_uri=https://www.mycustomerorderstatus.com/oauth2/callback
Do you remember this component from the first 2 calls? It’s the connected app’s callback URL.
Receive an Access Token
When you built the connected app, you selected the Require Secret for Web Server Flow option. This requirement means that Salesforce can’t give an access token to the connected app unless the app sends a valid consumer secret. So in this step, Salesforce validates the connected app’s authorization code, consumer key, and consumer secret.
After Salesforce validates the connected app’s credentials, it sends back an access token in a JSON format. The access token also includes associated permissions in the form of scopes, and an ID token for the app.
{"access_token": "00DB0000000TfcR!AQQAQFhoK8vTMg_rKA.esrJ2bCs.OOIjJgl.9Cx6O7KqjZmHMLOyVb.U61BU9tm4xRusf7d3fD1P9oefzqS6i9sJMPWj48IK","signature": "d/SxeYBxH0GSVko0HMgcUxuZy0PA2cDDz1u7g7JtDHw=","scope": "web openid","id_token": "eyJraWQiOiIyMjAiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiSVBRNkJOTjlvUnUyazdaYnYwbkZrUSIsInN1YiI6Imh0dHBzOi8vbG9...","instance_url": "https://mycompany.my.salesforce.com","id": "https://mydomain.my.salesforce.com/id/00DB0000000TfcRMAS/005B0000005Bk90IAC","token_type": "Bearer","issued_at": "1558553873237"} Your Turn
Now it’s your turn to test out the OAuth 2.0 web server flow. Because sensitive information is passed between the Salesforce instance and the callback URL during the flow, it’s critical that this information isn’t passed to arbitrary locations. To securely demonstrate the authorization flow, we’re using a secure OpenID Connect Playground built just for this purpose. The OpenID Connect Playground is hosted on a secure Heroku server that shows the authorization flow while protecting your data.
When you implement this flow in the real world, it’s imperative to use a secure host for the callback URL so that your data is kept safe.
Let’s get started. First, collect some information about the connected app that you created in step 1 of this project.
- Consumer Key
- Consumer Secret
- Callback URL
You also need your Trailhead playground’s domain name, which you can find in Setup | My Domain.
Give It a Try
- Open the OpenID Connect Playground.
- Copy your Trailhead playground’s domain name, and paste it after https:// as the login host.
- Paste your connected app’s consumer key.
- Paste your connected app’s consumer secret. (The OpenID Connect Playground uses POST to submit information, meaning your client secret is not logged.)
- Verify that your connected app’s callback URL matches the Redirect URI (Callback URL).
Tip You entered this callback URL in Step 1 of this project. - Click Next to send a request for an authorization code. If you receive a prompt to allow the OpenID Connect playground to access your Trailhead playground, go ahead and click Allow. With a successful request, you receive an authorization code. On the right side of the page, you can view your authorization request and the Heroku server’s response. These should look similar to the request and response we showed above.
- Click Next to request an access token. With a successful request, you receive both an access token and an ID token. On the right side of the page, you can view your access token request and the Heroku server’s response. These should like similar to the request and response we showed above.
- Click Next again to pass the access token back to the Heroku server. The Heroku server should respond with your connected app’s metadata.
Tip You entered this callback URL in Step 1 of this project. 
Extra Credit: Access Order Status Data
Congratulations! You’ve successfully implemented the OAuth 2.0 web server flow. Now the Customer Order Status connected app can send a request to your Salesforce org to access the order status data for a specific order. The connected app’s request includes the access token. After your Salesforce org validates the access token and associated scopes, it grants the app access to order status data.
If you want to go above and beyond the confines of this trail, you can retrieve order status by doing the following.
- Create an order in your Trailhead playground. See Orders in Salesforce Help.
- Use the appropriate cURL query to retrieve your new order’s status through the Salesforce REST API. Tip The macOS platform automatically supports cURL, as does Windows 10 build 17063. If your platform doesn’t have cURL already installed, you can download it from https://curl.haxx.se/.
If you are using a platform other than macOS or Windows, such as Linux, modify the cURL query as needed to comply with your platform requirements.
Mac cURL query:curl https://<your_trailhead_domain>/services/data/v55.0/sobjects/Order/<order_ID>\?fields\=Status -H 'Authorization: Bearer <access_token>' -H "X-PrettyPrint:1"
Windows cURL query:curl https://<your_trailhead_domain>/services/data/v55.0/sobjects/Order/<order_ID>?fields=Status -H “Authorization: Bearer <access_token>” -H "X-PrettyPrint:1"
In the cURL query, make sure to replace:- <your_trailhead_domain> with your Trailhead playground’s domain name.
- <order_ID> with the order ID that’s located in the URL of the Order page.
- <access_token> with the access token you received from the OpenID Connect playground.
- With a successful query, you should receive a response like this one:
{"attributes" : {"type" : "Order","url" : "/services/data/v55.0/sobjects/Order/8014P000001s9OLXXX"},"Status" : "Draft","Id" : "8014P000001s9OLXXX"}
Tip The macOS platform automatically supports cURL, as does Windows 10 build 17063. If your platform doesn’t have cURL already installed, you can download it from 
Time to Manage Your Connected App
Now it’s time to play the role of Salesforce admin. In the next step, you’re going to manage access to the connected app.
Resources
- Salesforce Help: OAuth Authorization Flows
- Salesforce Help: OAuth 2.0 Web Server Flow for Web App Integration
- Trailhead: API Basics
FAQs
How do I create a connected app in Salesforce for REST API? ›
- Fill in the following information: Attribute. ...
- Select Enable OAuth Settings.
- From Available OAuth Scopes, add Manage User Data via APIs (api), and Perform requests on you behalf at any time (refresh_token, offline_access). ...
- Click Save and continue.
For example, when you log in to your Salesforce mobile app and see your data from your Salesforce org, you're using a connected app. By capturing metadata about an external app, a connected app tells Salesforce which protocol—SAML, OAuth, and OpenID Connect—the external app uses, and where the external app runs.
How can we create connected app in Salesforce? ›- Log in to Salesforce as an administrator.
- In the drop-down list of the account (in the upper-right corner), select Setup.
- In the left-hand pane, go to App Setup > Create >Apps.
- In the Connected Apps pane, click the New button.
- Determine if you need a mobile app. ...
- Create a list of required features for your app. ...
- Hire a development team. ...
- Estimate app development costs. ...
- Create a user-friendly UX design. ...
- Test your app. ...
- Submit your app to the App Store.
Connect is a business and market intelligence platform that provides access to an unmatched concentration of industry analysis, in-depth market research, and economic forecasts from over 2,000 world-renowned experts.
How to Create an API app? ›- Step 1: Start a new Kotlin project within the Android Studio. ...
- Step 2: Add dependencies and additional configuration. ...
- Step 3: Open the MainActivity. ...
- Step 4: Import the class libraries. ...
- Step 5: Extend the MainActivity class and add instance variables.
Step #1 – Enter the URL of the API in the textbox of the tool. Step #2 – Select the HTTP method used for this API (GET, POST, PATCH, etc). Step #3 – Enter any headers if they are required in the Headers textbox. Step #4 – Pass the request body of the API in a key-value pair.
How do I Create a REST API link? ›- Identify the Resources – Object Modeling. The first step in designing a REST API-based application is identifying the objects that will be presented as resources. ...
- Create Model URIs. ...
- Determine Resource Representations. ...
- Assigning HTTP Methods. ...
- More Actions.
What is a connected apps platform? A connected apps platform allows anyone in an organization to use shared data to build and customize apps. It has built-in tools that enable organizations to deploy, manage, and scale connected apps across multiple teams.
How to test Salesforce REST API using Postman? ›- Create a Connected App for OAuth. To perform OAuth in salesforce, you must create a Connected App in salesforce. ...
- Setup Postman. ...
- Get Access Token in Postman. ...
- Setup variable for postman project. ...
- Test Salesforce Rest API using Postman.
How do I control API access for connected apps in Salesforce? ›
With API Access Control, you can lock down all connected apps' access to Salesforce APIs and then approve (allowlist) specific connected apps. Using profiles and permission sets, you can then grant users access to an approved connected app. These users can access APIs through the connected app.
What is Salesforce Connected app for integration? ›A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. Connected apps use these protocols to authenticate, authorize, and provide single sign-on (SSO) for external apps.
How do I connect to Salesforce API? ›- Step 1 : Create a connected app in Salesforce. Open Setup home -> Apps -> Manage apps -> new connected app. ...
- Step 2 : Connect to the REST API. To authenticate to the REST API, we use the OAuth Username-Password flow. ...
- Step 3 : Manipulate data with REST API.
- Step one: Create a sitemap of the site your merging (site A) ...
- Step two: Make the new domain one that you're proud of. ...
- Step three: Make your new domain live. ...
- Step four: Map your new URLs. ...
- Step five: Update internal links. ...
- Step six: Move your site. ...
- Step seven: Create your 301 redirects.
What is an App Wrapper? Wrapper apps, also known as “webview” apps, are apps that are converted from the web into apps that run natively on the operating system of a smartphone, tablet, or desktop computer.
How to develop an app for free? ›- Enter your app name. Choose a category, color scheme and test device.
- Add the features. Create an app in minutes without coding.
- Publish the app. Test and launch your app on Google Play and App Store.
How much does IBM App Connect cost? The pricing for IBM App Connect starts at $40.0 per month. IBM App Connect has a single plan: Professional at $40.00 per month.
What are the features of connect app? ›- Phone Support. Email/Help Desk.
- Training options. Live Online. Webinars. Documentation. In Person.
- Accept and respond with JSON.
- Use nouns instead of verbs in endpoint paths.
- Name collections with plural nouns.
- Nesting resources for hierarchical objects.
- Handle errors gracefully and return standard error codes.
- Allow filtering, sorting, and pagination.
- Maintain Good Security Practices.
- Set up your Google Sheet with your data and basic logic.
- Define inputs and outputs.
- Set up the API in Google Apps Script.
- Using your new Google Apps Script and Google Sheets API.
How do I add an API to an app? ›
- In the Google Cloud Console, go to the Projects page. ...
- Enable the Android Performance Parameters API on the project you selected. ...
- Select the Credentials tab on the left.
- If the project does not have an existing API key, click CREATE CREDENTIALS and select API Key.
A web API lets you interact with a web server through HTTP requests, while a REST API lets you interact with any kind of server over HTTP. REST APIs are web services that use HTTP and provide an interface for clients to interact with the service.
What is an example of API integration? ›Examples of API Integration
B2B eCommerce software like inventory management, shipping software, ERP, and similar applications need to integrate with eCommerce platforms. As a result, they can get and manage store data from these platforms and perform their core functionality.
REST API uses web services and is based on request and response, whereas RESTful API works completely based on REST application and infrastructure. REST apps have strong protocols and pre-configured architecture layers as security measures, whereas RESTful apps have multi-layered transport protocols.
Which programming language is best for REST API? ›From our experience in developing APIs for major corporations, we have figured that Python Flask and Node JS Express have been the best frameworks and languages to developing a RESTful API for any web-based applications.
How do the third party developers access APIs? ›Third party APIs are APIs provided by third parties — generally companies such as Facebook, Twitter, or Google — to allow you to access their functionality via JavaScript and use it on your site. One of the most obvious examples is using mapping APIs to display custom maps on your pages.
What apps can be integrated with Salesforce? ›- Jira. Jira Salesforce integration enables better communication between the sales and the development team. ...
- LinkedIn. ...
- Quickbooks. ...
- Mailchimp. ...
- DocuSign. ...
- Google Apps and G Suite. ...
- Dropbox. ...
- ActiveCampaign.
Third-party integration is the attachment of an application programming interface (API) from one application to another. Many developers use this integration to enable the product to perform the same functions as the program it integrated.
What is the difference between connected app and remote site setting? ›Remote Site Settings: Whenever you want to access any external sites in your salesforce instance using webservices, callouts etc., you must have that in the Remote Site Settings. Connected App: Used for making the connection from outside to Salesforce.
Where are connected apps in Salesforce? ›- From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
- Click a connected app to view on the Connected App Detail page.
- For connected apps that use SAML and if your org is an Identity Provider, click Download Metadata.
What is callback URL in connected app Salesforce? ›
A callback URL is the URL that is invoked after OAuth authorization for the consumer (connected app). In some contexts, the URL must be a real URL that the client's web browser is redirected to.
How do I create a connected app in Salesforce for Postman? ›- Step 1: In Salesforce, go to the Quick Search bar and search for App manager and then click on New Connected App Button.
- Step 2: You'll see a page of the New Connected App as shown below:
- Step 3: Now Fill in the Connected App Name, API name, And Contact.
- Go to POSTMAN client and select PUT method -> Go to Body – > Select RAW > pass JSON and select JSON from the dropdown and paste the payload script.
- JSON starts with curly braces and stores data in the key-value format.
- Data Security. When it comes to data security, it's imperative that we start with the minimum required access to do the business. ...
- Connected App. ...
- Profile and Permission set. ...
- Mutual TLS. ...
- Private Connect. ...
- Conclusion.
- From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
- Click the name of the connected app.
- On the connected app detail page, click Edit Policies.
- Under User Provisioning Settings, select Enable User Provisioning.
- Click Save.
Set an application restriction for an API key
Select the API key that you want to set a restriction on. The API key property page appears. Under Key restrictions, select Application restrictions. Select one of the restriction types and supply the requested information following the restriction list.
- Configure Basic Connected App Settings. ...
- Enable OAuth Settings for API Integration. ...
- Configure a Connected App for the OAuth 2.0 Client Credentials Flow. ...
- Integrate Service Providers as Connected Apps with SAML 2.0.
The Salesforce API provides a range of functionality, including the ability to retrieve, create, update, and delete records in Salesforce, execute custom logic, and access metadata. Using Salesforce API Integration, you can integrate Salesforce data with other business systems such as ERP and other CRM systems.
Can we deploy connected app in Salesforce? ›To configure the Salesforce Connected app: Log in to your Salesforce account. On the top menu, click Setup. In the left menu, click Create and then click Apps.
How do I create a connected app for REST API in Salesforce? ›- Fill in the following information: Attribute. ...
- Select Enable OAuth Settings.
- From Available OAuth Scopes, add Manage User Data via APIs (api), and Perform requests on you behalf at any time (refresh_token, offline_access). ...
- Click Save and continue.
How do I connect Salesforce to external API? ›
- We need to get the API and key (if required) that are required to integrate with our App. ...
- Check if API Enable Permission is checked for the current profile.
- Register the site in salesforce from where you would be calling API. ...
- Create a Visualforce Page.
Users get many great built-in capabilities, but since no company can build the perfect, customized platform for every single user, Salesforce uses APIs. By offering APIs, Salesforce customers take all the technology available to create the capabilities they need for their own platforms.
Where is connected apps on Android? ›If you want to check which apps or services are linked to your Google Account, go to Google Settings > Settings for Google apps > Connected apps.
How do I assign a user to a connected app? ›- From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
- Next to the Customer Order Status connected app, click Edit.
- Under OAuth policies, click the Permitted Users dropdown and select Admin approved users are pre-authorized.
- Click Save.
Connected apps help users delegate their access without sharing sensitive credentials or giving full control of their accounts to third parties.
What is Mulesoft connected apps? ›The Connected Apps feature provides a framework that enables an external application to integrate with the Anypoint Platform using APIs through OAuth 2.0 and OpenID Connect.
What is Connect app on Android? ›Connected apps is an Android feature that allows your application to utilize both work and personal data, when given the corresponding permission from the user.
What's a third-party app? ›Third-party apps and services are created by companies or developers that aren't Google. For example, you may download an app that helps you schedule workouts with friends. This app may request access to your Google Calendar and Contacts to suggest times and friends for you to meet up with.
Is app Connect free? ›How to get a Car-Net® subscription? App-Connect, guide & inform, and security and service are the three kinds of services offered by Car-Net®. Only the Volkswagen App-Connect is available for free among these three functions.
Is IBM App Connect free? ›You can get started with IBM App Connect on IBM Cloud for free, and when ready can upgrade to a choice of Pay As You Go (PAYG) plans or Custom Subscription options.
What is app Connect professional? ›
App Connect Professional features a range of options for developers looking to connect home-grown applications to existing business systems and data. With its built-in API capability, developers can then use App Connect Professional to expose integration flows as APIs that can be used to feed new applications.
Can you share an app between two devices? ›Tap Manage apps & devices. In the “Overview” tab, next to “Share apps,” tap Receive. After the sender shares the apps, wait for a pairing code. If the code matches the code on your friend's phone, tap Receive.
What happens when an admin blocks a connected app? ›To make a connected app inaccessible to your org's users, block the app. This action ends all current user sessions with the connected app and prevents all new sessions until you unblock the app. A start URL defines the page where users are directed to when they run the connected app.
How should an admin view who has used a connected app? ›In the OAuth Policies section, click View OAuth Usage to see which OAuth connected apps users are actively connecting to. These apps have an active access or refresh token. If user provisioning is enabled, you can click Launch User Provisioning Wizard to configure user provisioning for the connected app.