2

We have a project where the client requests the use of their own Identity Provider, in this case, it is SalesForce.

We secure the application using IdentityServer 3 and have configured it that for this client (based on parameters) it will use SalesForce as the IDP.

For the web app, no problem, Identity Server redirects to the Sales Force login page and everything works great.

Now we have a mobile app to build and the client would like to avoid having a web login page and would rather have a nice polished login form built in the application. This means that we will have to use the Resource Owner flow.

Now, the users creds are on SalesForce side so how does that work and is this at all possible in IdentityServer 3 ?

I see 2 possibilities but I kind of like neither of them:

  1. Send the auth call to IdentityServer which should detect that it is up to SalesForce to validate the user and forwards the request there.
    I think it is not good as I would rather avoid having my IdentityServer dealing with credentials that he should not even know

  2. Send a first auth call to SalesForce to get some "id token" that would then allow me to send another auth call to IdentityServer which will then recognize the "id token" and release an access token.
    That seems like a stretch and forces the app to know that there is an IDP which is none of its business.

Any idea?

Georges Legros
  • 2,494
  • 2
  • 23
  • 42
  • Hey Georges, we are dealing with this exact scenario but instead of a mobile app, we have a desktop app. What did you guys ended up doing? Thanks – Luis Lavieri Oct 17 '22 at 14:57
  • Hello, we ended up using the OpenId flow just like on the website. The mobile app opens a web frame and handles the html part. I still have not clue how the Resource Owner flow is supposed to work under those condition. If you ever find a way, I'd love to hear about it! – Georges Legros Nov 18 '22 at 11:53

0 Answers0