Configuring OAuth Client Authentication for DBAmp


Configuring OAuth Client Authentication for DBAmp


This page explains how to configure OAuth client authentication for DBAmp. The process consists of the following steps, which should be completed in this order:

  1. Create and configure a Salesforce external client app.

  2. Configure DBAmp to use OAuth Client authentication.

  3. Update your linked server security settings.

Note: If you already created the Salesforce external client app, you can skip directly to Configuring DBAmp for OAuth Client Authentication.

Creating and Configuring a Salesforce External Client App

This section explains how to create and configure a Salesforce external client app and how to obtain the OAuth Client credentials that you use later when you configure DBAmp.

Create the External Client App

To create the Salesforce external client app:

  1. On the Setup page in the Salesforce UI, enter External Client Apps in the Quick Find search. In the search results, select External Client App Manager.

  2. In the External Client App Manager, select New External Client App.

  3. In the Basic Information section, enter a name for your external client app and your email address.

  4. Under API (Enable OAuth Settings), click Enable OAuth. Enter a value in the Callback URL text box.

    Note: Setting this value is required to create the app. However, it is not actually needed for this type of authentication, so the specific URL that you enter does not matter. The URL should be in this format: http://localhost:3333.

  5. Under OAuth scopes, select the permissions that the external client app should request from the user. Two permissions are required: Manage user data via APIs(api) and Perform request at any time (refresh_token, offline_access). Any other permissions are your choice.

  6. Under Flow Enablement, select Enable Client Credentials Flow.

  7. Under Security, select Require secret for Web Server Flow, Require secret for Refresh Token Flow, and Require Proof Key for Code Exchange (PKCE extension) for Supported Authorization Flow.

  8. Click Create (bottom of the page).

After you complete these steps, you can configure the app.

Configure the External Client App

To configure the external client app:

  1. Navigate to the Policies page for the app and click Edit.

  2. In the Permitted Users selection list under Plugin Policies, select Admin approved users are pre-authorized.

  3. Under OAuth Flows and External Client App Enhancements, select Enable Client Credentials Flow. Then, set Run as (Username) to the Salesforce user account that the client credentials flow should run as.

  4. Under App Policies, ensure that the profile of your intended DBAmp user is selected in the Select Profiles section.

Obtain the OAuth Client Id and Client Secret

Now that you have created the external client application, you must obtain the OAuth consumer key and secret as follows.

  1. On the Setup page in the Salesforce UI, enter External Client Apps in the Quick Find search box. In the search results, select External Client App Manager.

  2. In the External Client App Manager, select YourAppName > Settings.

  3. Under OAuth Settings, click Consumer Key and Secret to obtain the key and secret. The consumer key is the OAuth client Id and the consumer secret is the OAuth client secret.

    Save the key and secret so you can enter it in step 3 of Add an OAuth Client User in the next section.

After you complete these steps, continue to the next section to complete the configuration of DBAmp.

Configuring CData DBAmp for OAuth Client Authentication

To configure DBAmp for OAuth Client authentication, you need to configure the authentication scheme, add an OAuth Client user, and update your linked-server security settings.

Configure the Authentication Scheme

To configure the authentication scheme:

  1. Open the DBAmp Configuration program and select Configuration > Settings.

  2. Set Auth Scheme to OAuthClient.

  3. Click OK.

After you set the authentication scheme, the Add Users option becomes available on the Configuration menu. You use this option in the next section to add the OAuth client user.

Add an OAuth Client User

To add an OAuth Client user:

  1. Select Configuration > Add Users to open the Add Users dialog box.

  2. Click Add to open the Add User dialog box.

  3. Configure the fields in the Add User dialog box as follows:

    • SQL Username: Enter a user name of your choice. This value corresponds to the value for Remote login on your linked server. This value serves only as an identifier that links the linked server to the OAuth client user.

    • SQL Password: Enter a password. This value corresponds to the value for With password on the linked server. This value serves only as an identifier that associates the linked server with the OAuth client user configuration.

    • SF Login URL: Enter your Salesforce MyDomain URL.

      Note: You must use your Salesforce MyDomain URL to log in with the client credentials flow. This flow does not support login calls to login.salesforce.com or test.salesforce.com.

    • OAuth Client Id: Enter the consumer key (which corresponds to the OAuth client Id) that you obtained earlier from your external client app.

    • OAuth Client Secret: Enter the consumer secret (which equates to the OAuth client secret) that you obtained earlier.

    • (Optional) Use Sandbox: Enable this option only if the MyDomain URL points to a Salesforce sandbox environment.

  4. Click OK to exit the Add User dialog box.

  5. Click OK again to exit the Add Users dialog box.

Update Security Settings for Your Linked Server

After you add the OAuth client user, you need to update the security settings for your linked server.

  1. Open the linked server properties.

  2. On the Security tab:

    1. Set Remote Login to the value that you specified earlier in the DBAmp SQL Username field.

    2. Set With password to the value that you specified earlier in the DBAmp SQL Password field.

The following image illustrates the mapping between the linked server properties and the DBAmp configuration settings:

After you update the security settings, restart the daemon service by selecting Configuration > Daemon Console > Restart. This action ensures that the daemon service applies all of the settings and security updates to the configuration.