1

When I authenticate my single page app to my SFDC org using user-agent flow I am getting an access token and an openID token. I need to use one of them (not sure which) to authenticate and get access to another system (Again, via API).

My understanding that I need to use the OpenID token in this case, as the other system will have no idea how to validate the access token. While the Open ID token signature can be validated using the same certificate used to sign it (the one in my SFDC org) and the user can be authenticated based on that. Something doesn't sound to be right, can anyone help explaining how I can use one token received from one system (and IDP) to access another system

Tea Bee
  • 401
  • 2
  • 8
  • 18

1 Answers1

0

This is a common problem faced with token usage. Here is a link for a similar question with Google oAuth

In short, id token is intended for the client. Client consumes the id token and and authenticate the end user by validating it. On the other hand, access token is to grant authorisation. It allows client to access protected resources, representing the end user. In this manner, answer to your question is to use access token.

To validate an access token and obtain end user details, you can use use userinfo endpoint. SalesForce expose this endpoinr through url,

https://login.salesforce.com/services/oauth2/userinfo

This endpoint consumes access tokens, validate them. If valid, it return information about end user to which the access token was issued. This way you validate access token and receive. Read more from this article

Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • Thanks, in my case I need to authenticate to a SFDC org (IDP), then use the retrieved tokens to get access to other systems. For the sake of simplicity we can assume that the other systems are just another salesforce org (SP1). My understanding that the access token that I will get after authentication is valid only for the first org (IDP). I am not sure what should I do to get an access token to the other org (SP1). All through APIs. Can I simply define a connected app and upload the same certificate there then pass the open id token and receive back an access token (is that JWT bearer flow?) – Tea Bee Jan 29 '18 at 09:23
  • It seems you have a complected things. I think you need SalseForce as your identity provider. Then you have some apps hosted in salesforce and some hosted outside. Now, tokens issued from salesforce are valid for the client who receives them. If the client access salesforce apis, then tokens usually get validated by itself. The answer I gave focuses on apps outside. They want token validation mechanism. – Kavindu Dodanduwa Jan 29 '18 at 15:56
  • Also please have a look at [that nice talk](https://youtu.be/BdKmZ7mPNns?t=4m50s) where the use of these tokens is clearly explained. – Spomky-Labs Jan 30 '18 at 14:01