Apex Reference Guide

Apex Reference Guide
Release Notes
Apex DML Operations
ApexPages Namespace
AppLauncher Namespace
Approval Namespace
Auth Namespace
AuthConfiguration Class
AuthProviderCallbackState Class
AuthProviderPlugin Interface
AuthProviderPluginClass Class
AuthProviderTokenResponse Class
AuthToken Class
AuthToken Methods
CommunitiesUtil Class
ConfigurableSelfRegHandler Interface
ConfirmUserRegistrationHandler Interface
ConnectedAppPlugin Class
CustomOneTimePasswordDeliveryHandler Interface
CustomOneTimePasswordDeliveryResult Enum
ExternalClientAppOauthHandler Class
GeneratedUserData Class
HeadlessSelfRegistrationHandler Interface
HeadlessUserDiscoveryHandler Interface
HeadlessUserDiscoveryResponse Class
HttpCalloutMockUtil Class
IntegratingAppType Enum
InvocationContext Enum
JsonValueOutput Class
JWS Class
JWT Class
JWTBearerTokenExchange Class
JWTUtil Class
LightningLoginEligibility Enum
LoginDiscoveryHandler Interface
LoginDiscoveryMethod Enum
MyDomainLoginDiscoveryHandler Interface
Oauth2TokenExchangeHandler Class
OAuth2TokenExchangeType Enum
OAuthRefreshResult Class
OauthToken Class
OauthTokenType Enum
RegistrationHandler Interface
SamlJitHandler Interface
SessionManagement Class
SessionLevel Enum
TokenValidationResult Class
UserData Class
VerificationAction Enum
VerificationMethod Enum
VerificationPolicy Enum
VerificationResult Class
Auth Exceptions
Cache Namespace
Canvas Namespace
ChatterAnswers Namespace
CommerceBuyGrp Namespace
CommerceExtension Namespace
CommerceOrders Namespace
CommercePayments Namespace
CommerceTax Namespace
ComplianceMgmt Namespace
Compression Namespace
ConnectApi Namespace
Context Namespace
Database Namespace
Datacloud Namespace
DataRetrieval Namespace
DataSource Namespace
DataWeave Namespace
Dom Namespace
embeddedai Namespace
EventBus Namespace
ExternalService Namespace
Flow Namespace
Flowtesting Namespace
flowuiruntime Namespace
FormulaEval Namespace
fsccashflow Namespace
Functions Namespace
ise_bots_apex Namespace
IssueCreditMemo Namespace
ind_mfg_sample_mgmt_apex Namespace
industriesNlpSvc
IndustriesDigitalLending Namespace
Invocable Namespace
InvoiceWriteOff Namespace
IsvPartners Namespace
KbManagement Namespace
LxScheduler Namespace
Messaging Namespace
Metadata Namespace
PlaceQuote Namespace
Pref_center Namespace
Process Namespace
QuickAction Namespace
renew_assets_summary Namespace
Reports Namespace
RevSignaling Namespace
RevSalesTrxn Namespace
RichMessaging Namespace
RulesAppln Namespace
runtime_industries_cpq Namespace
runtime_industries_insurance Namespace
Schema Namespace
Search Namespace
setup_flow_performance Namespace
Sfc Namespace
Sfdc_Checkout Namespace
Sfdc_Enablement Namespace
sfdc_surveys Namespace
Site Namespace
Slack Namespace
Support Namespace
System Namespace
TerritoryMgmt Namespace
TxnSecurity Namespace
UserProvisioning Namespace
VisualEditor Namespace
Wave Namespace
Appendices
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AuthToken Class

Contains methods for getting and revoking access and refresh tokens that are issued when a user logs in via a single sign-on (SSO) flow that uses an authentication provider, such as Facebook.

Namespace

Auth

Usage

To authenticate users via an authentication provider, you must create a class that implements the Auth.RegistrationHandler interface. When a user logs in to Salesforce via a provider such as Facebook, they’re issued an access token and in some cases, a refresh token. To retrieve and revoke these tokens, use the methods in the Auth.AuthToken class.

AuthToken Methods

The following are methods for AuthToken. All methods are static.

getAccessToken(authProviderId, providerName)

Returns an access token for the current user using the specified 18-character identifier of an AuthProvider definition in your org and the proper name of the provider, such as Salesforce or Facebook.

Signature

public static String getAccessToken(String authProviderId, String providerName)

Parameters

authProviderId
Type: String
providerName
Type: String
The proper name of the provider. Here are valid values for each provider type.
  • Apple—Apple
  • Custom—For a custom authentication provider, use the value in the FriendlyName field on the AuthProvider object, such as MyProvider.
  • Facebook—Facebook
  • GitHub—GitHub
  • Google—Google
  • Janrain—Use the proper name of the third party, such as Yahoo!.
  • LinkedIn—LinkedIn
  • Microsoft—Microsoft
  • Microsoft Access Control Service—Microsoft Access Control Service
  • MuleSoft—MuleSoft
  • Open ID Connect—Open ID Connect
  • Salesforce—Salesforce
  • Slack—Slack
  • Twitter—This method doesn’t support the Twitter authentication provider.

The providerName value that you pass into this method can be different from the value that’s returned if you query the ProviderType field on the AuthProvider object. For example, for Open ID Connect providers, OpenIdConnect is the ProviderType value for the AuthProvider object, but the expected providerName is Open ID Connect.

Note

Return Value

Type: String

getAccessTokenMap(authProviderId, providerName)

Returns a map from the provider’s identifier to the access token for the currently logged-in Salesforce user. The identifier value depends on the provider. For example, for Salesforce, it’s the user ID, while for Facebook, it’s the user number.

Signature

public static Map<String, String> getAccessTokenMap(String authProviderId, String providerName)

Parameters

authProviderId
Type: String
providerName
Type: String
The proper name of the provider. Here are valid values for each provider type.
  • Apple—Apple
  • Custom—For a custom authentication provider, use the value in the FriendlyName field on the AuthProvider object, such as MyProvider.
  • Facebook—Facebook
  • GitHub—GitHub
  • Google—Google
  • Janrain—Use the proper name of the third party, such as Yahoo!.
  • LinkedIn—LinkedIn
  • Microsoft—Microsoft
  • Microsoft Access Control Service—Microsoft Access Control Service
  • MuleSoft—MuleSoft
  • Open ID Connect—Open ID Connect
  • Salesforce—Salesforce
  • Slack—Slack
  • Twitter—This method doesn’t support the Twitter authentication provider.

The providerName value that you pass into this method can be different from the value that’s returned if you query the ProviderType field on the AuthProvider object. For example, for Open ID Connect providers, OpenIdConnect is the ProviderType value for the AuthProvider object, but the expected providerName is Open ID Connect.

Note

Return Value

Type: Map<String, String>

refreshAccessToken(authProviderId, providerName, oldAccessToken)

Returns a map from the third-party provider’s identifier containing a refreshed access token for the currently logged-in Salesforce user.

Signature

public static Map<String, String> refreshAccessToken(String authProviderId, String providerName, String oldAccessToken)

Parameters

authProviderId
Type: String
providerName
Type: String
The proper name of the third party. Here are valid values for each provider type.
  • Apple—Apple
  • Custom—For a custom authentication provider, use the value in the FriendlyName field on the AuthProvider object, such as MyProvider.
  • Facebook—Facebook
  • GitHub—GitHub
  • Google—Google
  • Janrain—Use the proper name of the third party, such as Yahoo!.
  • LinkedIn—LinkedIn
  • Microsoft—Microsoft
  • Microsoft Access Control Service—Microsoft Access Control Service
  • MuleSoft—MuleSoft
  • Open ID Connect—Open ID Connect
  • Salesforce—Salesforce
  • Slack—Slack
  • Twitter—This method doesn’t support the Twitter authentication provider.

The providerName value that you pass into this method can be different from the value that’s returned if you query the ProviderType field on the AuthProvider object. For example, for Open ID Connect providers, OpenIdConnect is the ProviderType value for the AuthProvider object, but the expected providerName is Open ID Connect.

Note

oldAccessToken
Type: String

Return Value

Type: Map<String, String>

Usage

The returned map contains AccessToken and RefreshError keys. Evaluate the keys in the response to check if the request was successful. For a successful request, the RefreshError value is null, and AccessToken is a token value. For an unsuccessful request, the RefreshError value is an error message, and the AccessToken value is null.

When successful, this method updates the token stored in the database, which you can get using Auth.AuthToken.getAccessToken().

If you’re using an OpenID Connect authentication provider, an id_token isn’t required in the response from the provider. If a Token Issuer is specified in the Auth. Provider settings and an id_token is provided anyway, Salesforce verifies it.

Example

1String accessToken = Auth.AuthToken.getAccessToken('0SOD000000000DeOAI', 'Open ID Connect');
2Map<String, String> responseMap = Auth.AuthToken.refreshAccessToken('0SOD000000000DeOAI', 'Open ID Connect', accessToken);

A successful request includes the access token in the response.

1 (RefreshError,null)(AccessToken,00DD00000007BhE!AQkAQFzj...)

revokeAccess(authProviderId, providerName, userId, remoteIdentifier)

Revokes the access token for a specified SSO user from a provider such as Facebook. You can use this method only if the IsNotSsoUsable field on the associated ThirdPartyAccountLink object is set to false.

Signature

public static Boolean revokeAccess(String authProviderId, String providerName, String userId, String remoteIdentifier)

Parameters

authProviderId
Type: String
The ID of the authentication provider in Salesforce.
providerName
Type: String
The name of the third party. Here are valid providerName values for each provider type.

The providerName value that you pass into this method must be lowercase.

Important

  • Apple—apple
  • Custom—For a custom authentication provider, use a lowercase version of the value in the FriendlyName field on the AuthProvider object. For example, if the FriendlyName is MyProvider, use myprovider.
  • Facebook—facebook
  • GitHub—github
  • Google—google
  • Janrain—Use a lowercase version of the name of the third party, such as yahoo!.
  • LinkedIn—linkedin
  • Microsoft—microsoft
  • Microsoft Access Control Service—microsoft access control service
  • MuleSoft—mulesoft
  • Open ID Connect—open id connect
  • Salesforce—salesforce
  • Slack—slack
  • Twitter—twitter

The providerName that you pass into this method is different from the value that you get if you query the ProviderType field on the AuthProvider object. For example, for Open ID Connect providers, the providerType value for the AuthProvider object is OpenIdConnect, but the providerName for the revokeAccess method is open id connect.

Note

userId
Type: String
The 15-character ID for the user whose access is being revoked.
remoteIdentifier
Type: String
The unique ID for the user in the third-party system (this value is in the associated ThirdPartyAccountLink standard object).

Return Value

Type: Boolean

The return value is true if the revokeAccess() operation is successful; otherwise false.

Example

The following example revokes a Facebook user's access token.

1Auth.AuthToken.revokeAccess('0SOxx00000#####', 'facebook', '005xx00000#####', 'ThirdPartyIdentifier_exist214176560#####');