OAuth 2.0 is the industry-standard protocol for authorization. It provides secure API call authorization from apps in a simple and standardized way. Using OAuth one can authorize access to resources in another system without revealing user credentials to apps. As an example, an operator authorizes Glia platform to access a CRM for the purpose of Glia platform to send data to the CRM.
Glia uses the OAuth 2.0 “authorization code” grant type for establishing access to the CRM:
- As a prerequisite, an “app account” should be first created for Glia in the CRM.
- When setting up the authorization in Glia, the operator will enter the necessary parameters into Glia system:
- The authorization URL of the CRM where user is directed to log in
- The access token URL of the CRM that is used by Glia to retrieve the access token
- The client id and secret associated with “app account” that was created for Glia
- Using this data, the Glia platform will follow the “authorization code” flow:
- User is directed to the authorization URL to login and authorize Glia to access the CRM
- If the authorization succeeds, the CRM will send an authorization code (via the redirect URI specified in the “app account”) to Glia
- Glia, using the authorization code, and its client id and secret, will fetch the access token and refresh token from the access token URL
For more about the authorization code grant and flow, see https://oauth.net/2/grant-types/authorization-code/.
The access token is what enables Glia to access the CRM to send the data there. However, as access tokens usually expire in a relatively short time frame, it is expected that the CRM is configured to also return a refresh token. This is a long-lived token that allows Glia (using its client id and secret) to obtain a new access token in case the current one expires. Currently, a new access token is obtained each time a new export is triggered to CRM.
In case the refresh token was not returned, then only access token will be used (without refreshing it). Once it expires, the user has to log in again, so that a new one can be obtained.
There is no expiration time configured from Glia side for the access or refresh token so the CRM provider is responsible for setting the lifetime of those tokens.
Glia’s OAuth Guidelines for SalesForce
Under the Build section, go to Create → Apps → Edit.
- Ensure that `Enable OAuth Settings` is checked.
- Callback URL box should include https://OPERATOR_CONSOLE_URL/oauth. For example https://app.salemove.com/oauth. Notice that for EU customers the URL will be https://app.salemove.eu/oauth
- Selected OAuth Scopes should at least grant access to something. When a refresh token is used, ensure it also includes Perform requests on your behalf at any time (refresh_token, offline_access) scope.
Under the Build section, go to Create → Apps → Manage. Click Edit Policies. Setup IP policies.
- If IP Relaxation is set to `Enforce IP restrictions`. Our Export API IPs must somehow be whitelisted in client's SalesForce app. IPs can be found in Static external IP addresses.
Check authorization input
In the operator console as a manager go to Admin -> Advance Admin -> Exports -> Edit export. In the bottom right corner, you can see the OAuth authorization for webhooks. Click on Configure OAuth.
Fill in the `Authorization URL` this must point to /services/oauth2/authorize. For example https://login.salesforce.com/services/oauth2/authorize. Check also the `Access Token URL` This must point to /services/oauth2/token. For example https://omnibrowse-dev-ed.my.salesforce.com/services/oauth2/token
Fill the customer ID and customer secret. You can get those values from the SalesForce export app. Go to Build -> Apps and click on the SM Exports App.
Customer key is visible. Click: “Click to reveal” to show the Customer secret.
Copy the Consumer Secret and Consumer Key to the configuration of OAuth in the Operator Console.
Click on Authorize Export. It will pop up a dialog window asking you to login into the system that will receive the export. In this example, SalesForce asks to enter the user and password to log in. Enter your credentials and login.
Please note that you might have to authorize Glia as a trusted app/vendor.
After authorizing a message will be displayed by the “Configure OAuth” button with the result.