OAUTH 2.0 Authentication

This page describes different OAuth2 Authentication setups, covering several prevalently used services. This page also attempts to show how to interpret the web pages describing the authentication.

  • Salesforce
    • Salesforce is a CRM/Cloud Application Platform.
  • Twitter
    • Short messaging service, used by Narcissists and shouty people.
  • Paypal
    • A payment gateway.


The salesforce API documentation: https://goo.gl/v365UT lists three supported authorisation workflows, Web server flow, User-agent flow and Username password flow.

As Both Web server and User-agent flows require a redirect URL (three legged) we will need to use the Username-password flow: https://goo.gl/Hvh8II

As is common to almost all two legged workflows; an application must first be registered with the resource owner (salesforce) so that it can generate client ids and secrets for use. https://goo.gl/3C5LgF

Once the client id and secret are known we can start setting up our OAuth settings in IMan.

The salesforce documentation describes the request:

Unfortunately the documentation neglects to mention how these parameters are to be passed; though a quick search through the documentation shows that Url-encoding is commonly being used.

The documentation also provides an example response:







We can see from the response that for a successful authorisation we require a request like this:

POST https://login.salesforce.com/services/oauth/token HTTP/1.1

Accept: application/json; charset=utf8

User-Agent: realsiable-iman-salesforce/v29.0

Content-Type: application/x-www-form-urlencoded

Host: login.salesforce.com



client_id=[some client id]

client_secret=[some client_secret]

username=[some user_name]

password=[some password]

Configuring IMan to create an authorisation requests such as this is a straight forward and achieved via the IMan setup screen.

Lets have a look at the required request and where these options will map into the setup screen:

The token request settings:



Twitter supports a number of OAuth authentication workflows, one of which is application only workflow: https://goo.gl/UNbKKx

As you can see the diagram on this workflow matches the implicit grant (two legged) description above:

An example token request for twitter is shown below:

POST http://api.twitter.com/oauth2/token HTTP/1.1

Authorization: Basic eHZ6MWV2RlM0d0VFUFRHRUZQSEJvZzpMOHFMdzhpRUo4OERSZHlPZw==

Content-Type: application/x-www-form-urlencoded;charset=UTF-8


Configuring a token request in IMan

IMan Setup


The setup was exclusively derived from the API documentation.


We recommend creating a sandbox account first.

The Client ID is the Client ID from the App Setup; the Client Secret is the Secret.

IMan Setup