How to roll your own authentication for an external Salesforce App?

Background

If you’re building an app, that involves

  1. Doing some very basic actions on behalf of non-Salesforce users, i.e. creating a Quote
  2. Is hosted externally (in other words, not APEX, but rather PHP, or Node.JS Heroku app)
  3. Requires some basic authentication for the non-Salesforce users (username and credentials stored in salesforce)
  4. Doesn’t violate Salesforce Terms of Service

What’s the quickest route to build that app, and what best practices should be employed to develop fast and securely?

Inspiration

After reading this question and running into this sort of app architecture several times myself, felt like this would be great to get the voice of the community on.

Answer

The key to solving this problem lies in two parts:

  1. Having a dedicated SF User to handle all requests from your 3rd Party to SFDC
  2. Creating your own User DB + Code to that verifies your 3rd Party user credentials. Once verified, they will then have access to the SF User. The extra code you’ll have to write is to manage what kind of processes you want to expose to/from SFDC.

(Essentially, I am saying to write code that creates and manages your own SessionId — roll your own “oAuth” (it’s not that hard and quite empowering))

I wrote a watered-down version of what you are looking for (but it’s managed on SF). What I did was create a Custom Object called Portal__c that stores Site information as well as User and Session information (in different Record Types).

Then, I wrote a class called Portal that manages all of my user activity in its static methods. On top of that, as an instance, Portal acts as a pseudo-controller that gathers Portal, User, and Session information from a Cookie I create when a user logs in. (This way, my Site doesn’t use URL Parameters to determine which User is logged in — the UserId and SessionId are “hidden” in the Cookie.)

After the backend work was completed, I could then build my VF Pages. This is where I decide what parts of the SFDC I want to expose to my 3rd Party (my Site Users). I wrote the Portal code so it’s a breeze to login, register, gather User/Session/Portal data, and verify the Session in my VF controllers. (I also added methods like

public static pageReference Portal.getPortalPage(Portal.Page myEnum){...}

to stream-line page Navigation in my Site [as well as limit which Site pages are accessible]. Also, I created a basic Session History tracking mechanism. The sky’s the limit!)

Note that my creation follows the schema of my solution:

  1. My dedicated SF User is a “Site User” that SF automatically creates for site users
  2. The real meat & potatos — creating Portal__c to manage Portal/User/Session data and creating the Portal class were the key to my problem, and this is where the real work takes place. As my example shows, it can be done completely in SF, and it is not difficult to abstract this to a different platform

I elaborate in more detail here:

SSO of a force.com site with another force.com site in same org

Attribution
Source : Link , Question Author : Ralph Callaway , Answer Author : Community

Leave a Comment