Generate the Access Token and Frontdoor URL for Tableau Next Embedding

To complete the authentication process, you must generate an access token and a frontdoor URL. Use the generated Frontdoor URL as the authCredential value when you initialize the SDK.

To generate the access token, use the OAuth 2.0 Web Server Flow. The web server flow is a two-step flow for obtaining an access token. Step 1 is browser-driven, where the user redirects to Salesforce and step 2 is server-side, where your backend exchanges the code.

  1. Authorization request: Your app redirects the user to the Salesforce authorization endpoint, /services/oauth2/authorize. After the user authenticates, Salesforce redirects back to the configured callback URL with an authorization code in the query string.
  2. Token exchange: Your app sends an HTTP POST request to the Salesforce token endpoint, /services/oauth2/token, with the authorization code and the app’s client_id. Salesforce responds with a JSON payload containing the access_token and instance_url.

Proof Key for Code Exchange (PKCE) is only required if your External Client App (ECA) has the OAuth security policy Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows enabled. When using this policy, your app must include a code challenge on the authorization request and code verifier on the token request. For more information, see Use the OAuth 2.0 Proof Key for Code Exchange (PKCE) Extension.

If your ECA uses the OAuth security policy Require Secret for Web Server Flow, the POST request to the token endpoint must also include your app’s client_secret as a form parameter alongside the client_id. If you’re not using this policy, sending the client_id alone is sufficient.

This code example shows how to append the client_secret value conditionally to the request body. In this example, the host references your Salesforce org and CLIENT_ID and CLIENT_SECRET are the values you copied and saved from the ECA OAuth settings. Remember, the consumer key is the client_id and the consumer secret the client_secret.

This example is JavaScript and runs on Node.js with Express. You can implement the same flow in any server-side language, substituting the equivalent HTTP and crypto primitives in your stack of choice. For example, use Java with Spring Boot, Python with Flask or FastAPI, Go with net/http, Ruby on Rails, or .NET / C#. The endpoint paths, parameters, and request and response shapes are identical regardless of language.

Use Frontdoor URLs to bridge into UI sessions, giving your users uninterrupted access to Salesforce and other apps. The Frontdoor URL uses an existing session to log users into a new UI automatically without making them enter their credentials again. For Tableau Next embedding, only the embedded components need and use the frontdoor URL.

Frontdoor URLs are short-lived. For session refresh, you must generate a new frontdoor URL.

For information on how to use the UI Bridge API to generate frontdoor URLs, see Generate a frontdoor URL to Bridge into UI Sessions.

  • Don’t hard code OAuth tokens or frontdoor URLs in your client-side code.
  • Pass credentials to the browser only when strictly necessary. Malicious actors can scrape credentials from the browser.

The SDK provides a logout() method to terminate the Salesforce session.

Using the logout() method logs out all other Salesforce sessions running in the same browser. Consider this impact as you design your user logout flow.

For more information, see logout().