Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.
- Create BookmarkCreate Bookmark
- Create Note or TagCreate Note or Tag
- DownloadDownload
- PrintPrint
Step-by-Step > Step 2: Exchange the credentials for an access token
Step 2: Exchange the credentials for an access token
The process of exchanging credentials for an access token is very
similar to exchanging an authorization code for an access token in the
Authorization Code flow. We simply need to make a HTTP POST to the authorization server,
providing the credentials and client information.
You can find the authorization server URL in the API provider’s documentation. For Salesforce, the URL is
https://login.salesforce.com/services/oauth2/token
Here are the required POST
parameters:
grant_type-
Specified as “password” for this flow.
scope-
The data your application is requesting access to. It is not required for Salesforce and is optional for other APIs. The Winter ’12 version of Salesforce introduces optional values for this parameter.
client_id-
The value provided to you when you registered your application. Although optional in the spec, this value is required by Salesforce. Registration of the app is achieved using the App Setup→Develop→Remote Access menu.
client_secret-
The value provided to you when you registered your application. While the name of this parameter implies that the value is secret, it is sometimes required by API providers for nonconfidential clients such as native mobile applications. In these cases, the value is not actually a secret, as it could be discovered by users of the application.
username-
The username provided by the resource owner, encoded as UTF-8.
password-
The password provided by the resource owner, encoded as UTF-8. For Salesforce, you need to concatenate the security token entered by the user at the end of the entered password and pass the combined value as the value of this parameter.
Here’s an example request via the curl command-line HTTP client:
curl -d "grant_type=password" \ -d "client_id=3MVG9QDx8IKCsXTFM0o9aE3KfEwsZLvRt" \ -d "client_secret=4826278391389087694" \ -d "username=ryan%40ryguy.com" \ -d "password=_userspassword__userssecuritytoken_" \ https://login.salesforce.com/services/oauth2/token
If the user-provided credentials are successfully authenticated,
the Salesforce OAuth authorization server will return an application/json response containing an
access_token:
{
"id":"https://login.salesforce.com/id/00DU0000000Io8rMAC/005U0000000hMDCIA2",
"issued_at":"1316990706988",
"instance_url":"https://na12.salesforce.com",
"signature":"Q2KTt8Ez5dwJ4Adu6QttAhCxbEP3HyfaTUXoNI=",
"access_token":"00DU0000000Io8r!AQcKbNiJPt0OCSAvxU2SBjVGP6hW0mfmKH07QiPEGIX"
}
What do each of these response parameters mean?
access_token-
The access token used to access the API on behalf of the user who provided their credentials. This is the only required item in the response.
id(Salesforce-specific value)-
The unique identity of the user. This URL can also be accessed as any other OAuth-protected resource to obtain more information about the user. The user metadata is returned as JSON or XML, depending on the value of the HTTP
Acceptheader sent in the request. instance_url-
The URL prefix the client application should use to access the API. This response parameter is specific to Salesforce’s implementation.
signature-
A signature used to validate that the identity URL hasn’t been modified since being sent from the server. Although Salesforce issues signatures that can be verified, it isn’t strictly necessary; instead, the application can use the built-in protections of HTTPS to ensure communication with Salesforce’s servers. This response parameter is specific to Salesforce’s implementation.
issued_at(Salesforce-specific value)-
The time the signature was generated, used for validating it.
- Create BookmarkCreate Bookmark
- Create Note or TagCreate Note or Tag
- DownloadDownload
- PrintPrint