New bubbler trying to connect securely to Salesforce via OAuth server-server flow. The marketplace plugins are too restrictive with their fixed endpoints and user-password flow is not secure.
Its hard to believe - if I understand correctly - that I need to roll my own token storage and management to be able to use oauth server-server flow??? Really???
Someone please tell me Im wrong! . Bonus points if can point me to documentation that clears up the mystery options and structure that is the bubble api connector plugin.
Ive spent weeks on this and going nowhere. I really like the idea of bubble and have some ideas but incomplete docs are undermining the experience for sure so far. Hopefully someone here has come out the other side of this.
Yes this is possible using, if I remember, custom oAuth2 token (client_credentials). It’s also possible with the password auth (also custom oAuth2 token) but SF ask you to renew password often, so you will also need to update your app everytime password is modified.
What seems to be missing in the bubble api docs is detail; how to actually manage 1) the authentication for say server-server oauth flow and then 2) the subsequent calls that use whatever token is passed back in step 1.
I was advised that we need to manage the tokens ourselves in the database. Is this true? If yes, does anyone know how this is strung together eg what sort of bubble workflow to callout for token, how/where token should be stored? How to check for and manage refresh of an expired token? How to retrieve the stored token into a subsequent callout. Maybe a sequence diagram exists somewhere showing this working using bubble features?
Im a bubble newbie so think there are lots of assumed knowledge in the docs about how things work.
Using custom oAuth Bubble auth option, you don’t need to do anything manually like storing token into DB and care for refresh token. It’s all managed by Bubble
So the next challenge is what is the design difference between nesting api calls into one definition (or whatever bubble calls them) or should the auth call be split out away from the secure resource call? Sorry for dumb question - there isnt anything in docs that I can find to describe how best to structure calls in the api connector plugin, and why.
I don’t understand your question. You don’t care about the auth call if you use Bubble Auth section. Just add endpoint API Call after and if your authorization is working, you will be able to initialize them.
@Jici - following on from your feedback I now have an authenticated api connecting via server-server oauth flow which is great. However… what is not clear is how I pass values returned from the auth token response into the other API calls. For example, auth POST returns multiple attributes including ‘access_token’ and ‘instance_url’. I understand the token is somehow added to the following API calls, but how would I reference the auth response ‘instance_url’ param in the API calls ? At the moment I have it hardcoded to make it work, but should be able to pass the auth response param into the resulting calls right?
Im asking because I might need to access attributes from the response - I appreciate that I dont have to to make it work - as it is working - however, if I wanted to use attributes returned in the success response, could I do so? Apologies if it sounds repetitive and I sincerely appreciate your patience - I am trying to find the right words to describe the challenge, which is now not about authentication, it is about being able to access returned attributes in the auth post response in subsequent get requests.
What do you mean? In the API Connector? Again, please share what you have. All requests made under this auth is automatically authenticated the same way. Just add more request (GET POST DELETE… it’s doesn’t matter) The authentication is automatically passed to theses calls.
Rather than hardcode the request url host, I’d like to accommodate the ‘my domain’ setting by using what is returned in the initial authentication request. See example here. The idea would be rather than hardcode the host into the service api endpoints, I prepend the request urls with the instance_url that salesforce returns to me.
What do you want to do with that? You asked for server-to-server auth. This is normally to authenticate to your own SF account.
Now if you expect to authenticate your USER account, you should consider user-agent auth or manual auth like @chris.williamson1996 suggested and explained well here: [Showcase] Manual OAuth2 Token Integration
given all endpoints would use that instance_url, and that the domain will change between environments eg sandboxes vs prod that to change the endpoint host in one place would be a lot more efficient, rather than every api service needing its hardcoded host updated. It’s more a question of it is possible and if so how vs justifying why I might need it. I think your pic of shared parameter seems to be a decent option if cant pass response attribute. Thanks so much for sharing.
Basically, turn off the Auth part in Bubble (none or self-handled), create a Call to get the token using the same thing you have un Custom Auth Bubble option and pass the access_token to other call. That’s it. You don’t need to case for refresh token in client_credentials, just get a new one when you need it. But if you really care about that, you will need to store the info in DB. Finally, pass the auth access_token to other API Call using an Authorization header in each call (not shared headers), not private, and with Bearer access_token for each call.
