Request an Authorization Code
To initiate the OAuth 2.0 web server flow, the external web service—via the connected app—posts an authorization code request using the authorization code grant type to the Salesforce authorization endpoint.
User Authenticates and Authorizes Access
Before Salesforce provides authorization codes to connected apps, the authenticating users are asked to log in to their Salesforce org.
Salesforce Grants Authorization Code
After users approve access to a connected app, Salesforce redirects users to the callback URL, where they can view the callback with an authorization code.
Request an Access Token
To request an access token, the connected app passes the authorization code to the Salesforce token endpoint as an HTTP POST.
Salesforce Grants an Access Token
After Salesforce validates the connected app’s credentials, it sends back a response with the access token. In this example, the response is in a JSON format.
Configure a Connected App
A connected app requests access to REST API resources on behalf of the client application. For a connected app to request access, it must be integrated with your org’s REST API using the OAuth 2.0 protocol. OAuth 2.0 is an open protocol that authorizes secure data sharing between applications through the exchange of tokens.
Apply an OAuth Authorization Flow
OAuth authorization flows grant a client app restricted access to REST API resources on a resource server. Each OAuth flow offers a different process for approving access to a client app, but in general the flows consist of three main steps.