Apparently the weather up in the Cloud is cooler than here on Earth. Case in point – while we were enjoying an Indian Summer in San Francisco this week, the Winter ’12 release had started rolling out to Sandbox Orgs. No matter what the weather is in your neck of the woods, there are plenty of goodies for developers in Winter ’12. Check out our Winter ’12 release page to see a quick snapshot of these features (you can also peruse the detailed release notes).
I wanted to call out one feature in particular that I believe is kind of lost in the release notes – the addition of the ‘scope’ parameter to OAuth 2.0. This change is actually huge for a couple of reasons.
1) You now have the ability to access Visualforce pages via OAuth. Previously, you could only use the access token that you get via OAuth to make API calls against Force.com (e.g. with the SOAP or REST APIs). With the addition of the scope parameter, you can now have users login via OAuth and then redirect them to a Visualforce page. This use case is especially useful in a mobile scenario where you could have an iOS/Android/HTML5 application use OAuth to authenticate and authorize users (in mobile scenarios, OAuth is preferred over the standard username/password login since the mobile app never sees the login information) and then redirect them to a mobile optimized VF page.
For example, if you were using the OAuth User-Agent flow, you can append ‘&scope=visualforce’ to the end of the OAuth authorization URL (i.e. the URL that you would redirect users to would look something like ‘https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=<your client id>&redirect_uri=<your callback URL>&scope=visualforce’). Once the user logs in successfully, you can then append the OAuth access token to a VF URL and direct users to it (for e.g. ‘https://c.cs0.visual.force.com/apex/HelloWorld?oauth_token=<add access token>’).
2) In addition to being able to access VF pages, the scope parameter also gives you the ability to fine tune the level of access that you want to grant users. For e.g. setting ‘scope=api’ restricts the user to only using the access token with API calls. Similarly, you can define ‘scope=full’ and allow full access to users. You can also mix and match scopes. For more details about the possible scope values, search for ‘scope parameter’ in the Help page of any Org that has been upgraded to Winter ’12.
For more information about OAuth 2.0 in general, check out this great article by my colleague Pat Patterson. Also, if you’re interested in finding out about other new platform features in the Winter ’12 release please sign up for the preview webinar next Wednesday (9/28). Hope to see you there.