Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth 2.0 Authorization and Session Management for Hybrid Apps

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OAuth 2.0 Authorization and Session Management for Hybrid Apps

            Managing web sessions for hybrid apps is complex with a typical user-agent or refresh token flow. In these flows, a hybrid app sets requested domain cookies and bridges an access token into a web session. But the access token and web session aren’t connected in these flows. Instead you must track when the access and refresh tokens expire and when the web session expires, and then manually rebridge the session to avoid interrupted service. To avoid this complex process, use the OAuth 2.0 hybrid app flows. These flows connect the access and refresh tokens with the web session to give hybrid apps direct web session management.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions
            Note
            Note Mobile SDK 9.1 supports OAuth 2.0 hybrid app flows.

            With the OAuth 2.0 hybrid app token flow, you can access a variety of Salesforce domains by requesting values that let you set browser cookies. When you set up the flow, you create an external client app and assign scopes to it. These scopes determine the domains for which your app is requesting session IDs (SID) from Salesforce. During the hybrid app token flow, the authorizing server sends back SIDs and domain values for the requested domains in its response, along with an access token. After authorization, the hybrid app directly sets session cookies in the browser using the SIDs as the cookie values and the domain as the domain value. It also sets other cookies to directly bridge an access token into a web session without using frontdoor.jsp. During the hybrid refresh token flow, when a new access token is granted, the hybrid app receives updated domain SIDs. It can directly reset the session cookies and avoid interruptions.

            For the hybrid app token and refresh flows, Salesforce supports scopes that let you set cookies to access these domains.

            • Primary Salesforce web app
            • Content resources
            • Lightning apps
            • Visualforce pages

            For example, you build a hybrid app for your sales department to access information on the go, such as a dashboard that tracks top sales prospects. When users launch the hybrid app, they’re redirected to Salesforce to log in and authorize the app to access the requested scopes. After authorization, Salesforce sends the hybrid app the requested SIDs and domain values, along with an access token. The hybrid app uses these values to set session cookies in the browser and uses the access token to access data for native user interfaces. When a user clicks the button to open the top sales prospects dashboard, which is actually a Lightning web component that lives on your server, the browser opens. The browser cookies that were previously set allow access to the dashboard. When the user’s session expires, the hybrid app can use a refresh token to get a new access token and to directly reset the SIDs in the session cookies. So the user can continue to access the dashboard without interruption.

            For more information about developing hybrid apps using Salesforce Mobile SDK development, see the Mobile SDK Development Guide. For more information about bridging web sessions, see Using Frontdoor.jsp to Bridge Sessions into Salesforce.

            • OAuth 2.0 Hybrid User-Agent Token Flow
              Use the OAuth 2.0 hybrid user-agent token flow to give hybrid apps direct management of web sessions. When the authorizing server grants an access token, it includes session IDs (SID) for the requested domains in its response. After authorization, the hybrid app can set Lightning, Visualforce, and content domain cookies and bridge an access token into a web session, providing uninterrupted service.
            • OAuth 2.0 Hybrid Web Server Flow
              Use the OAuth 2.0 hybrid web server flow to give hybrid apps direct management of web sessions. When the authorizing server grants an access token, it includes session IDs (SID) for the requested domains in its response. The hybrid app can then set Lightning, Visualforce, and content domain cookies and bridge an access token into a web session, providing uninterrupted service.
            • OAuth 2.0 Hybrid App Refresh Token Flow
              Use the OAuth 2.0 hybrid app refresh token flow to give hybrid apps direct management of web sessions after an initial session expires. When the authorizing server grants a new access token using the hybrid_refresh grant type, it includes the session IDs (SID) of the requested domains in its response. The hybrid app can set Lightning, Visualforce, and content domain cookies and use frontdoor.jsp to bridge the access token into a web session, providing uninterrupted service. The hybrid app refresh token flow renews access tokens issued by the OAuth 2.0 web server, user-agent, and hybrid app token flow.
            • OAuth 2.0 Hybrid App Flow Cookie Management
              When you use the OAuth 2.0 hybrid app token flow, you use scopes to request session IDs (SID) and domain values. You then use these SIDs and domain values to set browser cookies and establish sessions in your hybrid app. When you refresh your access token, you receive new SIDs and domains to reset the browser cookies.
             
            Loading
            Salesforce Help | Article