When user login from the UI, SFDC checks if its first successful login attempt from that machine. If it is true then it asks for addition security code which is sent to your email address. The only exception to this is made when that machine’s IP is in trusted IP range.
Similar additional check is implemented for SOAP API login call. It requires User name, password & security token to get access to any data.
If you consider above security measures then Salesforce oAuth Username Password flow seems vulnerable because you do not need any additional information to call Username Password flow.
I mean you defiantly need client_id & client_secret but anyone can create connected app in developer org and they can bypass the security if they just have user name & password.
Am I missing something?
No comments:
Post a Comment