+ Start a Discussion
Mahesh Reddy 5Mahesh Reddy 5 

Access Apex REST API's/ get Access token using customer portal users

Dear All,

We have created bunch of APEX REST API's (for data integration like creating Cases, adding attachments etc) in one of my clients org. And now we need to access these API's from external system (Java).

We are planning to use customer portal Url, user details to get access token and access those API's. In order to get access token we need "security token"  of that user but for customer portal users we cannot get "security token". So that now we are unable to access those API's using customer portal user.

Please let us know is it possible to access salesforce Apex REST API's using customer portal user logins.

Thanks in advance!!
Mahesh
pbattissonpbattisson
Hi Mahesh

Yes it is possible to use the REST API with portal users. In Spring 13 the ability to login these user types via OAuth 2 was added enabling them to be used for the REST APIs as well as the SOAP API.

The great Pat Patterson has a blog post about this on the developer relations blog (https://developer.salesforce.com/blogs/developer-relations/2013/02/oauth-for-portal-users.html) which gives some details about setting this up.
Mahesh Reddy 5Mahesh Reddy 5
Hi pbattisson,

Thanks for your reply.

We don't want any login UI's in SFDC side . In java program we need to use customer portal logins instead of regular salesforce user logins (data integration).

My requirement is,  we have created bunch of APEX REST API's in SFDC and we need to access these API's from external system (Java).

Is it possible to access these API's from external system using customer portal login details (customer portal username,password).

Thanks again,
Mahesh
pbattissonpbattisson
Hi Mahesh

As above, yes using OAuth. OAuth contains a flow called the username/password flow (see the documentation here (https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_username_password_flow.htm&language=en_US)) where you can simply provide the credentials in code to authenticate and then retrieve the access token. 

This is not the preferred method of using OAuth though and you should take great care in storing usernames and passwords (it is better to use another flow which requires a one time login rather than using this flow where data is stored).

You could also make the API public if you do not feel you need authentication. To do this you create a Force.com site and then expose the classes for the API as available to the guest user.

Paul
Mahesh Reddy 5Mahesh Reddy 5
Hi pbattisson,

OAuth username/password flow also required "Security token". User need to add "security token" to password. But for customer portal users we cannot get "Security token".

Thanks,
Sravan.
pbattissonpbattisson
You should only require the token on an untrusted network. As you are in control of where the API call roginates from and therefore should manage that IP you can whitelist it.

If not then I am afraid the answer will be no.


Mahesh Reddy 5Mahesh Reddy 5
Hi pbattisson,

Yes, In this case customers will access these API's from untrusted network.

Thanks again!!
pbattissonpbattisson
I which case the answer would appear to be no you cannot meet your requirements. I am surprised that the Java program would be from an untrusted/unknown network adn that would probably be the best avenue for you to explore.
pbattissonpbattisson
Mahesh

Someone has posted a similar question to which I have been able to provide a workaround using the SOAP API for login. You can view their question here (https://developer.salesforce.com/forums/ForumsMain?id=906F0000000Afq4IAC) or visit this stack exchange article (http://salesforce.stackexchange.com/questions/19121/should-oauth2-with-grant-type-password-work-for-high-volume-customer-portal) which will give more details on how to possibly manage this.