OAUTH 2.0 Authentication

This page describes different OAuth2 Authentication setups, covering several prevalently used services. This page also attempts to show how to interpret the web pages describing the authentication.

  • Salesforce
    • Salesforce is a CRM/Cloud Application Platform.
  • Twitter
    • Short messaging service, used by Narcissists and shouty people.
  • Paypal
    • A payment gateway.

Salesforce

The salesforce API documentation: https://goo.gl/v365UT lists three supported authorisation workflows, Web server flow, User-agent flow and Username password flow.

As Both Web server and User-agent flows require a redirect URL (three legged) we will need to use the Username-password flow: https://goo.gl/Hvh8II

As is common to almost all two legged workflows; an application must first be registered with the resource owner (salesforce) so that it can generate client ids and secrets for use. https://goo.gl/3C5LgF

Once the client id and secret are known we can start setting up our OAuth settings in IMan.

The salesforce documentation describes the request:

Unfortunately the documentation neglects to mention how these parameters are to be passed; though a quick search through the documentation shows that Url-encoding is commonly being used.

The documentation also provides an example response:

{

  "id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P",

  "issued_at":"1278448832702","instance_url":"https://na1.salesforce.com",

  "signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=",

  "access_token":"00Dx0000000BV7z!AR8AQAxo9UfRcgKFmxOtvxjTrKW19ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs"

}

We can see from the response that for a successful authorisation we require a request like this:

POST https://login.salesforce.com/services/oauth/token HTTP/1.1

Accept: application/json; charset=utf8

User-Agent: realsiable-iman-salesforce/v29.0

Content-Type: application/x-www-form-urlencoded

Host: login.salesforce.com

 

grant_type=password

client_id=[some client id]

client_secret=[some client_secret]

username=[some user_name]

password=[some password]

Configuring IMan to create an authorisation requests such as this is a straight forward and achieved via the IMan setup screen.

Lets have a look at the required request and where these options will map into the setup screen:

The token request settings:

client_id=%[client_id];client_secret=%[client_secret];grant_type=password;username=%[user_name];password=%[password]

Twitter

Twitter supports a number of OAuth authentication workflows, one of which is application only workflow: https://goo.gl/UNbKKx

As you can see the diagram on this workflow matches the implicit grant (two legged) description above:

An example token request for twitter is shown below:

POST http://api.twitter.com/oauth2/token HTTP/1.1

Authorization: Basic eHZ6MWV2RlM0d0VFUFRHRUZQSEJvZzpMOHFMdzhpRUo4OERSZHlPZw==

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

grant_type=client_credentials

Configuring a token request in IMan

IMan Setup

Paypal

The setup was exclusively derived from the API documentation.

https://developer.paypal.com/docs/api/get-an-access-token-curl/

We recommend creating a sandbox account first.

The Client ID is the Client ID from the App Setup; the Client Secret is the Secret.

IMan Setup