Saturday, May 12, 2012

Salesforce Password Login

I recently got an e-mail with a question on the Salesforce REST API that I thought I had covered, but it looks like I didn’t. The question is, is there a way to use the REST API with a username and password instead of OAuth? The answer is yes, and this article will explain how to do it.

You will want to refer to my original article on the Salesforce.com REST API since there are a number of concepts that are the same which I will not cover in detail here.

The first thing you will need to do is setup Remote Access in Salesforce.com just like you do when you access the REST interface using OAuth. Refer to my original article for instructions on how to do this. Once setup you will get a Consumer Key and Consumer Secret which you will need for the password login process.

You will also need, of course, a Salesforce username and password you want to login in with. Finally you will need the Security Token for that account. To get this, login to Salesforce with that account, click the down arrow next to your name in the top right and click Setup, click the down arrow next to My Personal Information on the left, click Reset My Security Token, then click the Reset Security Token button. Once you do this a new security token will be sent to the e-mail address you have configured for this account. 

You can get around using the security token by registering an IP address or range of IP addresses as trusted. To do this, in the Salesforce setup, select Network Access from the Security Controls section. On that screen you can enter one or more ranges of IP addresses of computers you trust. You would have to register the IP address of any computer that is going to make calls to the REST API.

Now that we have this information we can make a call to Salesforce to get the access token that will be needed to make all the other REST calls. Here is the code to do this.

private void GetToken(string consumerKey, string consumerSecret,string username, string password, string securityToken) { 
            string URI = "https://login.salesforce.com/services/oauth2/token"; 
            StringBuilder body = new StringBuilder(); 
            body.Append("grant_type=password&"); 
            body.Append("client_id=" + consumerKey + "&"); 
            body.Append("client_secret=" + consumerSecret + "&"); 
            body.Append("username=" + username + "&"); 
            body.Append("password=" + password + securityToken); 
            string result = HttpPost(URI, body.ToString()); 
        }


This is similar to the code we used get the access token using OAuth but instead of passing in the authentication code we use the username password and security token instead. You will notice that the security token is simply appended to the end of the password. If you have registered your computer as trusted you will just be sending the password without the security token.

This function will return a string containing the access token structure encoded in JSON. Refer to the original article for details on how to extract the access token. Once you have the access token the REST API can be used just like you do when logging in with OAuth.

I have attached a new demo application that shows how to access the REST API using both OAuth and username/password authentication. Be sure to fill out the variables at the top of MainForm.cs with your consumer Key, consumer Secret, etc.
Visual Studio 2010 Salesforce REST API Demo

3 comments:

Drew said...

thanks, i did a lot of searching to find out how to auth w/ salesforce, this blog post was definitely the best I found.

PD said...

Can you swap out the browser control use HttpRequest/HttpResponse instead?

Dan Boris said...

The method of logging in that I show in this post doesn't use oAuth so there is no web browser control involved. If you are talking about OAuth, I suppose it might be possible but it sort of defeats the purpose of OAuth which prevents the calling sight from ever knowing the user's login credentials. If you are going to have the user give you their credential you might has well use the method shown in this post.