Is it possible to authenticate to Salesforce and submit a payload to POST method of an apex class exposed as REST resource, all in a single call? I know this usually need 2 different calls, first to login and get a token or session id and the second one to submit the request to the resource. However this external system seems to have some limitation they cannot make a second call. Is there a workaround to achieve above without having to compromise security?
6
- How about to setup a separate "process" to login and keep up to date a token? In that case, it will be always available to perform request with token via 1 callkurunve– kurunve2017-02-27 22:02:16 +00:00Commented Feb 27, 2017 at 22:02
- Although security through obscurity is something generally not recommended, you could expose the REST Apex class publicly via Communities, and hardcode in it a string token of arbitrary length (the longer the better). The string token of the apex class would be shared with the external system in order to provide it as one of the params in a REST call to a generally public resource. Depending whether the token is correct, you could decide whether to return valid response or just a HTTP 401.dino ursic– dino ursic2017-02-27 22:14:49 +00:00Commented Feb 27, 2017 at 22:14
- @kurunve , I understood creating a custom login process, can you please elaborate on how to keep token up to date?sperikal– sperikal2017-02-27 22:25:03 +00:00Commented Feb 27, 2017 at 22:25
- @sperikal help.salesforce.com/…kurunve– kurunve2017-02-27 22:33:16 +00:00Commented Feb 27, 2017 at 22:33
- @dinoursic That is entirely eaves-droppable. I'm no security expert, but I think it's better to hash that string with your credentials and a timestamp. And if possible, filter by IP.Charles Koppelman– Charles Koppelman2017-02-28 20:56:45 +00:00Commented Feb 28, 2017 at 20:56
| Show 1 more comment
1 Answer
Though this is not possible out of the box with the Salesforce REST API, you could design an Apex REST Service exposed on a Force.com Public Site.
Normally, this would mean your REST service is open to everyone. But your Apex controller can use the Crypto namespace to parse a signed JSON Web Token that your integration could pass with every call.
This is different than using the JWT Bearer Token flow in Oauth 2 which still requires two calls.
