How can I use Salesforce OAuth 2.0 implicit flow authentication in a WinForms application?

Question

I wrote a web application which connects to the Salesforce API using the OAuth 2.0 web server flow, and that all works fine.

But now there is a requirement to access the

Answer 1

As eyescream's answer explains, there are security issues with the Webserver flow, since any malware listening to that port could also access the security token.

Thus, I want to explain how to use the User-Agent flow in this scenario:

1. Set REDIRECT_URI to any https-endpoint that you trust. Since your data will never reach that endpoint, it doesn't matter what endpoint you choose. For example, I use REDIRECT_URI = https:\\login.salesforce.com\, since I am sure that Salesforce themselves will not do anything harmful with a token to their own API, in case something goes wrong and they do actually receive it.

2. Since you are using a browser (CefSharp) directly in your application, you have access to the URL string. I do not know CefSharp, but I am sure there is something like a BeforeRedirect event which tells you the URL before actually redirecting.

3. Before every redirect, search the URL string for "access_token=". If you find that string, extract the token from the URL string and close the browser. Make sure that you close the browser before the redirect. This ensures that the token never reaches the endpoint you chose in step 1.