Authorization Code and Credentials Flow for Private Clients

Welcome to catchontosalesforce!

Description :

The Authorization Code and Credentials flow is especially for customer and partner. you unable to setup this flow for employees accessing the salesforce platform (login.salesforce.com). you can control Front-end and Back-end separately.

You call headless login API (OAuth 2.0) via Your Experience cloud site to handle the back-end work of authenticating users and granting access to protected Salesforce resources.

Steps to achieve :

Create Connected App.
Create JavaScript API.
Create Apex Controller.

Create Connected App :

you will create a Connected App with following configuration.

Enable OAuth Settings - must be enable
Callback URL - must be server rest resource URL Like., <Your Experience Site Base URL>/services/apexrest/code/exchangeCodeToAccessToken.
Selected OAuth Scopes - Based on your need.
Require Secret for Web Server Flow - Must be true.
Require Secret for Refresh Token Flow - Must be true.
Enable Client Credentials Flow - Must be true.
Enable Authorization Code and Credentials Flow - Must be true.
Permitted Users - Admin approved users are pre-authorized.

Create JavaScript API :

I have created a SF Authentication JavaScript Application. see. Javascript.

Headless GET /authorize call with response_type, client_id and redirect_uri.
Once Succeed, auto-call to redirect_uri (it's point to server-side SF Rest Resource) with code Param.
In server-side, we will get code Param and process /token to get access_token to authenticating users and granting access to protected salesforce resource.