Authentication from Lightning Out

To handle authentication, you must manually provide a Salesforce session ID or an OAuth access token when you initialize a Lightning Out app.

There are two supported ways to handle authentication for Lightning Out.

  • Use a Salesforce session ID. For example, on a Visualforce page, you can obtain the current Visualforce session ID with the expression {! $Api.Session_ID }. Sessions initiated with this session ID are intended for use only on Visualforce pages.
  • Use an OAuth access token. Follow the same process that's used to authorize client applications that access Salesforce REST API resources. See Authorization Through Connected Apps and OAuth 2.0 in the REST API Developer Guide.

Lightning Out doesn't support JSON Web Tokens (JWT)-based access tokens. When implementing an OAuth authorization flow, use opaque access tokens instead.

Lightning Out has the same privileges as the session from which you obtain the authentication token. If you use a Salesforce session ID, the session has the privileges of the current user. If you use an OAuth access token, the privilege is defined when you create the connected app. Usually, Lightning Out requires you to grant Full Access scope to the connected app returning the OAuth access token.

A Lightning Out authenticated session persists access to any lightning.force.com domain running in the active browser session. After a user is authenticated, the session credentials are validated across all Salesforce applications running in the active browser session.

To prevent session persistence, Salesforce admins can lock the session to the originating IP address. From Setup, in the Quick Find box, enter Session Settings, and then select Session Settings. Then select Lock sessions to the IP address from which they originated.

See Also