Authorization tokens in Salesforce

Hello again, regarding what you mention about the "offline" connection mode, you are referring to the fact that you have added the "Perform requests on your behalf at any time" scope?

In the Salesforce page it states the following for this scope (Help And Training Community):

So this scope allows you to get the refresh token, but it doesn't mention that it doesn't expire, is that mentioned somewhere else?

Thanks!

Roberto

Yes, the offline_access in particular. Indeed, Salesforce does not state explicitly that this scope prevents refresh tokens from expiring, but our tests indicate that these tokens live at least as long as several months. If Salesforce decides to change this behavior in the future, in easymorph v5 we would have the means to handle this

1 Like

Thanks @olysak, and from what I’ve understood, every time you make an API call and use the Connected App, you “reset” the countdown for the validity of the token. So regarding your tests, it lasts several months without having done any call, or it only lasts several months even if you’ve been doing calls along the way?

The latter. We did not explicitly test the case with the refresh token being untouched for several months.

But, in either case, if Salesforce decides to request user re-authorization after a prolonged period of inactivity, there would be no way to circumvent it - in either case, you would have to start the OAuth process and enter credentials manually.
Automatic refresh token management can only work when the OAuth resource/authorization server (e.g. Salesforce server) seamlessly provides fresh tokens after some interaction with the API

@roberto,

The Salesforce connector now can display the quota usage stats. The beta build has been updated, so you can test it as well.

image

1 Like

@olysak Can you give me more details on this? What would be the steps I have to take to maximize the length my token is valid? Salesforce gives refresh tokens: Help And Training Community

Before @dgudkov mentioned:

The connector uses the “offline” connection mode, so technically tokens don’t expire. But even if they did, the connector can still handle it.

I'm not sure I understand both statements together. It would be great to get more info on this and how I can maximize the time my tokens last (for now I'll be using the Web Location connector instead of the Salesforce Connector, because I'm able to establish my custom Callback URL, and that is important in my case).

Also, what role does "centralized key-value storage" play here? @dgudkov mentioned that with this funtionality refresh tokens can be managed, how would this work?

Thanks!

The standard way of obtaining a new refresh token is by a user interacting with the resource server website (i.e. Salesforce login form in this case). Easymorph receives a refresh token during the last step of the OAuth process - that is, when you see the «Received verification code. You may now close this window» page. If this is the only way to get a new token, then - if Salesforce decides that yours is no longer valid - you have to restart this authorization process, enter your credentials by hand etc - there is no way for Easymorph to do this automatically.

Sometimes, there can be another way to get a new refresh token - for example, some systems provide a one-time chance to capture a renewed refresh token, and when Easymorph tries to obtain a new access token, they give both access and refresh tokens back. In this situation, we can seamlessly renew the refresh token without user re-entering credentials. But this is not the case with Salesforce.

What would be the steps I have to take to maximize the length my token is valid?

You should allow offline_access scope in the Connected app's settings.

@roberto,

We’ve added a new action for Salesforce in the recent beta build - “Update/delete records in Salesforce”. Can you please try it too?

The initial post in this thread has been updated.

6 posts were merged into an existing topic: Announcement: Salesforce connector and actions

Hello @olysak,

Thanks for your response. Regarding your comment:

Sometimes, there can be another way to get a new refresh token - for example, some systems provide a one-time chance to capture a renewed refresh token, and when Easymorph tries to obtain a new access token, they give both access and refresh tokens back. In this situation, we can seamlessly renew the refresh token without user re-entering credentials. But this is not the case with Salesforce.

Isn't this the same process that is mentioned in the following article? Help And Training Community

Can you also look at the following StackExchange question and first answer? Here they detail how to get the refresh token:

Thanks very much,

Roberto

This is the process of getting an access token using a refresh one, not getting a new refresh token without user interaction.

This is also a standard OAuth flow, involving user interaction. Note the Navigate in a browser... part in the first bullet.

Hello @Olysak, yes the first time you have to navigate to a browser, you do it manually. And you get the access code.

In step 2 of the StackExchange answer it is stated:

  1. Now, POST https://login.salesforce.com/services/oauth2/token?grant_type=authorization_code&redirect_uri=https://login.salesforce.com/services/oauth2/callback&client_id=<ConnectedAppClientID>&client_secret=ConnectedAppSecret&code=<CodeFromStep1>. This will return you the refresh token in JSON format. There is also an access token token with the response. So you can use it until it expires.

So when EasyMorph authorizes the connector with the single usage code, in that same response, apart from an access token, is the refresh token. That refresh token has to be stored, and then used to get another access token, as stated in the article Help And Training Community.

So the first time you get the refresh token with the user navigating to the browser, but once you have it and set it to not expire, you should be able to use this token right?

If so, where could EasyMorph store this token and use it? Does centralized key-value storage play a role here?

Thanks,

Roberto

Hello again @olysak,

And in Salesforce, I have the following option, “Refresh token is valid until revoked”:

So if we’re able to store the refresh token and use it to get the access tokens, then we can be sure that the user won’t have to manually re-authorize in the future.

Roberto

Yes, this is how it's implemented in Easymorph at this moment

So the first time you get the refresh token with the user navigating to the browser, but once you have it and set it to not expire, you should be able to use this token right?

So if we’re able to store the refresh token and use it to get the access tokens, then we can be sure that the user won’t have to manually re-authorize in the future.

Yes, you're right. If the refresh token does not expire, you're good - this is the base case and it was handled by Easymorph since at least ~late 2020. All the problems arise if refresh token can expire too.

Ok, thanks for your help!

:slight_smile:

@Olysak one last question - is this also solution also implemented in the “Web Location” connector? I need to use this one instead of the standard Salesforce Connector because I need to be able to include a custom callback URL, and this is not allowed currently with the standard EasyMorph Salesforce Connector.

If you could allow setting a callback URL in the standard EasyMorph Salesforce connector, that would be great :slight_smile:

Yes, this is how Web Location works right now

1 Like

Hi Roberto,

Why don't you ask your customer to use the free EasyMorph edition to create and authorize a Salesforce connector and pass it to you? I suppose this would simplify things for everyone.

Hello @dgudkov,

I’ve tried it and it works correctly! However the names of the actions are a bit confusing, having both “Export to Salesforce” and “Update/delete records in Salesforce”:

image

Maybe you could join “Insert/Update/Delete” into one action called “Ingest to Salesforce” (Ingest is the word used in Salesforce when referring to insert-update-delete via API, view the following link: https://developer.salesforce.com/docs/atlas.en-us.api_asynch.meta/api_asynch/bulk_api_2_0_ingest.htm

Regards,

Roberto

Hello @dgudkov,

The idea is to streamline the process for the client, not having them download additional software/authentication processes. How would the user pass the Salesforce connector to us from his own desktop version, if we have the connectors in our EasyMorph Server? Would they have to connect to EasyMorph Server from desktop?

The authentication process (not only for Salesforce, but any web location connector with OAuth2 authentication) that I was thinking of could go like this:

  1. Internally, first we configure the details of the connector (OAuth2 Client, Secret, Callback URL (would be a specific URL in EM Server where the server is listening), scopes, etc.)

  2. Once that is done, we create an EasyMorph Project for OAuth2 authentication (1 per client per connector). This EasyMorph project gets launched through an API call (by the client) and consists of the following:

  • A) Once the task is triggered, an email action sends the client the link to do the OAuth2 authentication. (In the background, EasyMorph Server is listening for when the user enters their login details and gives permission to EasyMorph).
  • B) The user clicks on the link, logs into Salesforce, and gives permission to EasyMorph. EasyMorph Server is listening in a certain callback URL for the code, and once that is done the connector is authenticated.
  • C) If in the future the client loses authentication, they have to repeat the same process - launch the task externally, receive an email, login/give permission and then the connector is authenticated again.

In my opinion, having a process like this where EM Server acts as a bridge for streamlining the authentication, makes it easier both for the client and us.

I feel it has certain relation to what @RJO mentions in his post “Big feature request on all cloud connectors”, regarding having an action inside a project to authenticate. In this case, it would be used in EasyMorph Server to authenticate a Web Location connector with OAuth2 authentication.

What do you think?

Thanks!

Roberto