Oauth flow support

Secure Integration to SF…yikes!

New bubbler trying to connect securely to Salesforce via OAuth server-server flow. The marketplace plugins are too restrictive with their fixed endpoints and user-password flow is not secure.

Its hard to believe - if I understand correctly - that I need to roll my own token storage and management to be able to use oauth server-server flow??? Really???

Someone please tell me Im wrong! :pray::pray: . Bonus points if can point me to documentation that clears up the mystery options and structure that is the bubble api connector plugin.

Ive spent weeks on this and going nowhere. I really like the idea of bubble and have some ideas but incomplete docs are undermining the experience for sure so far. Hopefully someone here has come out the other side of this.

I don’t know if anyone even knows what you’re looking for…my only assumption is you need help with sales force auth? Could you provide more detail…?

1 Like

Hi Chris. Sorry - I extended my post with more detail.

1 Like

You can either use bubbles built in oauth2 flow

Or setup manually with link to auth page, code for token exchange, refresh, auth check, etc.

Personally I tend to do these manually as bubbles oauth flow tends to have issues with some providers.

If you need more help send me a message, this is something we can knock out pretty quick on a consult call.

Yes this is possible using, if I remember, custom oAuth2 token (client_credentials). It’s also possible with the password auth (also custom oAuth2 token) but SF ask you to renew password often, so you will also need to update your app everytime password is modified.


1 Like

Really appreciate all the feedback to date.

What seems to be missing in the bubble api docs is detail; how to actually manage 1) the authentication for say server-server oauth flow and then 2) the subsequent calls that use whatever token is passed back in step 1.

I was advised that we need to manage the tokens ourselves in the database. Is this true? If yes, does anyone know how this is strung together eg what sort of bubble workflow to callout for token, how/where token should be stored? How to check for and manage refresh of an expired token? How to retrieve the stored token into a subsequent callout. Maybe a sequence diagram exists somewhere showing this working using bubble features?

Im a bubble newbie so think there are lots of assumed knowledge in the docs about how things work.

Any direction appreciated!

Using custom oAuth Bubble auth option, you don’t need to do anything manually like storing token into DB and care for refresh token. It’s all managed by Bubble

Ok that sounds promising. Thanks for confirming!

So the next challenge is what is the design difference between nesting api calls into one definition (or whatever bubble calls them) or should the auth call be split out away from the secure resource call? Sorry for dumb question - there isnt anything in docs that I can find to describe how best to structure calls in the api connector plugin, and why.

I don’t understand your question. You don’t care about the auth call if you use Bubble Auth section. Just add endpoint API Call after and if your authorization is working, you will be able to initialize them.

Thanks so much for your feedback. I will try to find some additional resources

1 Like

@Jici - following on from your feedback I now have an authenticated api connecting via server-server oauth flow which is great. However… what is not clear is how I pass values returned from the auth token response into the other API calls. For example, auth POST returns multiple attributes including ‘access_token’ and ‘instance_url’. I understand the token is somehow added to the following API calls, but how would I reference the auth response ‘instance_url’ param in the API calls ? At the moment I have it hardcoded to make it work, but should be able to pass the auth response param into the resulting calls right?

Can you share what you have actually?
Like I told you a couple of times… you DON’T need to care about that if you use Bubble auth part…

Im asking because I might need to access attributes from the response - I appreciate that I dont have to to make it work - as it is working - however, if I wanted to use attributes returned in the success response, could I do so? Apologies if it sounds repetitive and I sincerely appreciate your patience - I am trying to find the right words to describe the challenge, which is now not about authentication, it is about being able to access returned attributes in the auth post response in subsequent get requests.

Why? what is your use case?

What do you mean? In the API Connector? Again, please share what you have. All requests made under this auth is automatically authenticated the same way. Just add more request (GET POST DELETE… it’s doesn’t matter) The authentication is automatically passed to theses calls.

If I open the call like Get SF WO… you will not see anything related to auth because we don’t need to add that.

Rather than hardcode the request url host, I’d like to accommodate the ‘my domain’ setting by using what is returned in the initial authentication request. See example here. The idea would be rather than hardcode the host into the service api endpoints, I prepend the request urls with the instance_url that salesforce returns to me.

What do you want to do with that? You asked for server-to-server auth. This is normally to authenticate to your own SF account.
Now if you expect to authenticate your USER account, you should consider user-agent auth or manual auth like @chris.williamson1996 suggested and explained well here: [Showcase] Manual OAuth2 Token Integration


given all endpoints would use that instance_url, and that the domain will change between environments eg sandboxes vs prod that to change the endpoint host in one place would be a lot more efficient, rather than every api service needing its hardcoded host updated. It’s more a question of it is possible and if so how vs justifying why I might need it. I think your pic of shared parameter seems to be a decent option if cant pass response attribute. Thanks so much for sharing.

The API connector and plugin builder are both fully dynamic, everything you’re asking is possible.

At this point I’d recommend diving into some YouTube videos, bubble docs, etc.

If you’re looking to jump start it the quickest way is typically a consultation call where someone can walk you through it.

Found it as a noted problem from 2021… seems to be a connector limitation Shared parameters in GET call - #15 by charles_bubble

Basically, turn off the Auth part in Bubble (none or self-handled), create a Call to get the token using the same thing you have un Custom Auth Bubble option and pass the access_token to other call. That’s it. You don’t need to case for refresh token in client_credentials, just get a new one when you need it. But if you really care about that, you will need to store the info in DB. Finally, pass the auth access_token to other API Call using an Authorization header in each call (not shared headers), not private, and with Bearer access_token for each call.

1 Like