Setting Up Headless Authentication with Salesforce

PublishedMay 03, 2024

ModifiedMay 05, 2024

With headless authentication, backend authentication can be segregated from frontend identity experiences, enhancing faster login experience. It enables each channel to provide unique UI experiences according to their brand guidelines.

Enable Authorization Code and Credentials Flow

The Authorization Code and Credentials Flow is the foundation of headless login. Enable this flow at an org-wide level. From Setup, select OAuth and OpenID Connect Settings and turn on Allow Authorization Code and Credentials Flows.

Create a Role to Manage Headless Identity Features

For identity and access management, it's important to define who can access what. Create a role to ensure that you have the right level of access to manage Headless Identity features. From Roles, click on Set Up Roles and select Add Role under the CEO.

Assign the role that you created to your System Administrator user. From Users, edit the System Administrator user and assign the newly created Role from the Role dropdown.

Assign Headless Admin Role to System Admin

Set Up Profile for End Users

For Headless Identity, you use profiles to define how your end users access data in Salesforce. New users are automatically assigned to this profile when they register. Instead of creating a new profile, you can clone an existing standard profile to get all of its preconfigured permissions and access settings. You can then customize the profile as needed. From Profiles, clone Customer Community User.

You must use an account to store information about your end users, including their contact records. Salesforce supports two types of accounts: business accounts, which store information about organizations, and person accounts, which store information about individuals. For this example, you use a business account to keep all your end-user records in one place. From Sales app, select Accounts Tab and click New to create a new account.

Set Up and Configure Experience Cloud Site

All orgs get a My Domain with enhanced domains by default. If you don't like your org's My Domain name or circumstances demand a change, you can rename it. From My Domain, edit My Domain Details.

Enabling digital experiences is the first step to creating your Experience Cloud site. From Digital Experiences | Settings, Select Enable Digital Experiences. If enhanced domains are enabled in your org, you see your digital experiences domain name.

From All Sites, Click New and Select a site template, e.g., Build Your Own (LWR) to create your Experience Cloud site. It is recommend that you don't provide a URL suffix for your site. That way, you're not required to remember it every time you need the Experience Cloud domain.

Because your Experience Cloud site stores all your user information, you must add your end-user profile to the site's membership. From Experience Workspaces, select Administration. From the Administration page, select Members and add "AEM Headless Profile" that you created earlier to the Selected Profiles.

Set Up Connected App for Headless Identity

To establish a connecttion between an external application and Salesforce, it's essential to setup a Connected App. During configuring the Connected App for headless authentication, ensure to activate the Authorization Code and Credentials Flow at the app level. To begin, navigate to App Manager and select New Connected App.

In a standard OAuth flow, users often see an approval screen where they confirm that an app is allowed to access their Salesforce data. With headless identity flows, you don't want to show users a Salesforce approval screen. To preapprove access, configure OAuth policies on your connected app. From Edit Policies, under OAuth Policies, set the Permitted Users policy to Admin approved users are pre-authorized.

On the Connected App Manage page, select Manage Profiles and add "AEM Headless Profile" that you created earlier.

When you create a Connected App, it generates a Consumer Key, also known as Client ID. This value allows Salesforce to identify your third-party app during headless identity flows. To access the Consumer Key, navigate to the App Manager, select View next to your app, then on the Connected App detail page, click Manage Consumer Details.

Create a User to Verify Headless Identity Setup

Enable self-registration on the Experience Cloud site to create a test user. Assign these users to the "AEM Headless Profile" profile and "AEM Headless Account" business account created earlier. If person accounts are enabled, refrain from populating the Account field. From All Sites, next to your Site, click Workspaces, select Administration, and then select Login & Registration.

Experience Cloud Site Register User Configuration

Within your Experience Cloud site's registration page, proceed to create a new end user. According to the settings configured for the registration page, the end user will be automatically included in the "AEM Headless Profile" and added as a contact to the "AEM Headless User" account.

Headless Login Postman Request

Now that you configured org-wide settings, Experience Cloud settings, and a connected app, you can test out the headless identity flows.

POST Authorization Request - /services/oauth2/authorize
Authorization
Basic Auth [Username & Password] will add Authorization header with the value Basic <username:password>, which contains the Base64-encoded username and password value.
Headers
Auth-Request-Type: Named-User
Body
response_type: code_credentials
client_id: [Connected App Consumer Key]
redirect_uri: [Connected App Callback URL]
POST Token Request - /services/oauth2/token
Body
code: Received in response during Authorization Request
grant_type: authorization_code
client_id: [Connected App Consumer Key]
redirect_uri: [Connected App Callback URL]
POST User Info - /services/oauth2/userinfo
Headers
Authorization: Bearer [access_token], received in response during Token Request
Content-Type: application/json
If the login was successful, you get a response containing information about the user.