Setting Up Headless Authentication with Salesforce

With headless authentication, backend authentication can be segregated from frontend identity experiences, enhancing faster login experience. It enables each channel to provide unique UI experiences according to their brand guidelines.

Enable Authorization Code and Credentials Flow

The Authorization Code and Credentials Flow is the foundation of headless login. Enable this flow at an org-wide level. From Setup, select OAuth and OpenID Connect Settings and turn on Allow Authorization Code and Credentials Flows.
Allow Headless Code Credentilas

Create a Role to Manage Headless Identity Features

For identity and access management, it's important to define who can access what. Create a role to ensure that you have the right level of access to manage Headless Identity features. From Roles, click on Set Up Roles and select Add Role under the CEO.
Manage Headless Identity Features
Assign the role that you created to your System Administrator user. From Users, edit the System Administrator user and assign the newly created Role from the Role dropdown.
Assign Headless Admin Role to System Admin

Set Up Profile for End Users

For Headless Identity, you use profiles to define how your end users access data in Salesforce. New users are automatically assigned to this profile when they register. Instead of creating a new profile, you can clone an existing standard profile to get all of its preconfigured permissions and access settings. You can then customize the profile as needed. From Profiles, clone Customer Community User.
Set Up Profile for End Users
You must use an account to store information about your end users, including their contact records. Salesforce supports two types of accounts: business accounts, which store information about organizations, and person accounts, which store information about individuals. For this example, you use a business account to keep all your end-user records in one place. From Sales app, select Accounts Tab and click New to create a new account.
Create Account for End Users

Set Up and Configure Experience Cloud Site

All orgs get a My Domain with enhanced domains by default. If you don't like your org's My Domain name or circumstances demand a change, you can rename it. From My Domain, edit My Domain Details.
Setup Salesforce My Domain
Enabling digital experiences is the first step to creating your Experience Cloud site. From Digital Experiences | Settings, Select Enable Digital Experiences. If enhanced domains are enabled in your org, you see your digital experiences domain name.
Enable Digital Experience
From All Sites, Click New and Select a site template, e.g., Build Your Own (LWR) to create your Experience Cloud site. It is recommend that you don't provide a URL suffix for your site. That way, you're not required to remember it every time you need the Experience Cloud domain.
Create Experience Cloud Site
Because your Experience Cloud site stores all your user information, you must add your end-user profile to the site's membership. From Experience Workspaces, select Administration. From the Administration page, select Members and add "AEM Headless Profile" that you created earlier to the Selected Profiles.
Setup Profile for Experience Cloud Site

Set Up Connected App for Headless Identity

To establish a connecttion between an external application and Salesforce, it's essential to setup a Connected App. During configuring the Connected App for headless authentication, ensure to activate the Authorization Code and Credentials Flow at the app level. To begin, navigate to App Manager and select New Connected App.
Connected App for Headless Setup
In a standard OAuth flow, users often see an approval screen where they confirm that an app is allowed to access their Salesforce data. With headless identity flows, you don't want to show users a Salesforce approval screen. To preapprove access, configure OAuth policies on your connected app. From Edit Policies, under OAuth Policies, set the Permitted Users policy to Admin approved users are pre-authorized.
Connected App Auth Policies
On the Connected App Manage page, select Manage Profiles and add "AEM Headless Profile" that you created earlier.
Connected App Manage Profiles
When you create a Connected App, it generates a Consumer Key, also known as Client ID. This value allows Salesforce to identify your third-party app during headless identity flows. To access the Consumer Key, navigate to the App Manager, select View next to your app, then on the Connected App detail page, click Manage Consumer Details.
Connected App Manage Consumer Details

Create a User to Verify Headless Identity Setup

Enable self-registration on the Experience Cloud site to create a test user. Assign these users to the "AEM Headless Profile" profile and "AEM Headless Account" business account created earlier. If person accounts are enabled, refrain from populating the Account field. From All Sites, next to your Site, click Workspaces, select Administration, and then selectLogin & Registration.
Experience Cloud Site Register User Configuration
Within your Experience Cloud site's registration page, proceed to create a new end user. According to the settings configured for the registration page, the end user will be automatically included in the "AEM Headless Profile" and added as a contact to the "AEM Headless User" account.

Headless Login Postman Request

Now that you configured org-wide settings, Experience Cloud settings, and a connected app, you can test out the headless identity flows.
  • POST Authorization Request - /services/oauth2/authorize
    Basic Auth [Username & Password] will add Authorization header with the value Basic <username:password>, which contains the Base64-encoded username and password value.
    Auth-Request-Type: Named-User
    response_type: code_credentials
    client_id: [Connected App Consumer Key]
    redirect_uri: [Connected App Callback URL]
    Headless Login Authorization Request
  • POST Token Request - /services/oauth2/token
    code: Received in response during Authorization Request
    grant_type: authorization_code
    client_id: [Connected App Consumer Key]
    redirect_uri: [Connected App Callback URL]
    Headless Login Access Token Request
  • POST User Info - /services/oauth2/userinfo
    Authorization: Bearer [access_token], received in response during Token Request
    Content-Type: application/json
    Headless Login UserProfile InfoIf the login was successful, you get a response containing information about the user.