Authentication from Lightning Out

To handle authentication, you must manually provide a Salesforce session ID or authentication token when you initialize a Lightning Out app.

There are two supported ways to obtain an authentication token for use with Lightning Out.

  • On a Visualforce page, you can obtain the current Visualforce session ID using the expression {! $Api.Session_ID }. Sessions initiated using the session ID are intended for use only on Visualforce pages.
  • Elsewhere, an authenticated session is obtained using OAuth, following the same process you’d use to obtain an authenticated session to use with the REST API. In this case, you obtain an OAuth token, and can use it anywhere.

Lightning Out doesn’t handle authentication automatically for you. The $Lightning.use() function simply passes along to the security subsystem whatever authentication token you provide. For most organizations, the token is a session ID or an OAuth token.

Lightning Out has the same privileges as the session from which you obtain the authentication token. For Visualforce using {! $Api.Session_ID }, the session has the privileges of the current user. For OAuth, it’s whatever OAuth scope setting that the OAuth Connected App is defined with. Usually, using Lightning Out with OAuth requires you to grant “Full Access” scope to the Connected App returning the OAuth token.

When a Lightning Out authenticated session is granted with a session access token, the session persists access to any domain running in the active browser session. After a user is logged in with a valid access token, the session credentials are validated across all Salesforce applications running in the active browser session.

To prevent session persistence, Salesforce admins can lock the session to the originating IP address. To select this option, navigate to:

Setup > Security > Session Settings

Activate the Lock sessions to the IP address from which they originated checkbox.

See Also