Best Practice for Salesforce.com API authentication for background apps

Question

The Salesforce.com API seems to assume that you will always use the app as an active user. Their authentication methods (Session ID and OAuth) support this as they both require an authenticated user to "do something".

What is the strategy for when you have a background app that needs access to the API? The examples that I have seen ask for your full credentials - user name, password, and security token. Not only do I not want to know or store that information, but it can change (from password policies, etc) and I'd rather not have the app break because of that.

What is the "best practice" for long lived authentication to SFDCs APIs that does not require user interaction?

Answer 1

The SFDC API requests operate in the context of a user which is identified by a sessionId or access_token. So, to make API calls, sessionId is needed and you get that by storing the username/security token/password and by calling login whenever you need to.

Also, you can achieve this by using the interactive OAuth flow which will require the user to authorize your application. At this point, you will be given a long-lasting token called the refresh token. After that, at any point, you can go ahead and use OAuth2 token service to get a new access_token by just using a refresh token.

I guess this last approach will meet your needs, it's just that this would require one-time user interaction to originally sanction your application.