Creating a Custom OAuth App

TIBCO Data Virtualization® Adapter Online Help > TDV Salesforce with SSO Adapter > Using OAuth Authentication > Creating a Custom OAuth App

If you do not have access to the user name and password or do not wish to require them, you can use OAuth authentication. Salesforce with SSO uses the OAuth authentication standard, which requires the authenticating user to interact with Salesforce with SSO via the browser. The adapter facilitates the OAuth exchange in various ways, as described in this section.

Create a Connected App

To obtain the OAuth client credentials, consumer key, and consumer secret:

1. Log in to Salesforce.com.

2. From Setup, enter

3. Apps in the Quick Find box and then click the link to create an app. In the Connected Apps section of the resulting page, click New.

4. Enter a name to be displayed to users when they log in to grant permissions to your app, along with a contact Email address.

5. Click

6. Enable OAuth Settings and enter a value in the Callback URL box. If you are making a desktop application, set the Callback URL to http://localhost:33333 or a different port number of your choice. If you are making a web application, set the Callback URL to a page on your Web app you want the user to be returned to after they have authorized your application.

7. Select the scope of permissions that your app should request from the user.

8. Click your app name to open a page with information about your app. The OAuth client credentials, the consumer key, and consumer secret are displayed.

Authenticate to Salesforce with SSO from a Desktop Application

After setting the following connection properties, you are ready to connect:

• OAuthClientId: Set to the consumer key in your app settings.

• OAuthClientSecret: Set to the consumer secret in your app settings.

• CallbackURL: Set to the callback URL in your app settings.

• InitiateOAuth: Set to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken connection property.

When you connect, the adapter opens the OAuth endpoint in your default browser. Log in and grant permissions to the application. The adapter then completes the following OAuth process:

1. Gets the callback URL and sets the access token and OAuthServerUrl to authenticate requests.

2. Saves OAuth values in

3. OAuthSettingsLocation to be persisted across connections.

4. Exchanges the returned refresh token for a new, valid access token.

Authenticate to Salesforce with SSO from a Web Application

To obtain the access token, set the following connection properties:

• OAuthClientId: Set to the consumer key in your app settings.

• OAuthClientSecret: Set to the consumer secret in your app settings.

• CallbackURL: Set to the callback URL in your app settings.

When connecting via a web application, or if the adapter is not authorized to open a browser window, you need to exchange temporary verification values for the access token:

1. Call GetOAuthAuthorizationUrl. The stored procedure returns the URL to the OAuth endpoint.

2. Log in and authorize the application. You are redirected back to the callback URL. If you set the GrantType parameter to Implicit, the callbackURL contains the OAuthAccessToken and OAuthServerUrl in a query string parameter. If you set the GrantType parameter to code, the callback URL contains the verifier code in the query string parameter named "code". Extract the verifier code and call GetOAuthAccessToken.

To connect to data, set the following connection properties:

• OAuthAccessToken

• OAuthServerUrl

To automatically refresh the access token when it expires, set InitiateOAuth to REFRESH and set OAuthRefreshToken. Alternatively, call the RefreshOAuthAccessToken stored procedure when the access token expires. Given a refresh token as input, the procedure returns a valid OAuth access token.

As an alternative to retrieving the authorization URL and having the user log in to Salesforce, you can set up a password grant type by calling GetOAuthAccessToken, setting GrantType to PASSWORD. Here, you need to ensure that the user name and password are both set in the connection string, in addition to the client ID and secret of your application. Note that InitiateOAuth must be set to OFF for the password grant type to work. You cannot refresh the token obtained this way. This method has the advantage of removing the login step for users that cannot open a web browser, but it has the disadvantage of the user's credentials being exchanged in plain text between the server and Salesforce.

Note: You can configure the session timeout in Salesforce by navigating to Setup > Administration Setup > Security Controls > Session Settings.