Pros and cons of user-agent flow vs web server flow

The User Agent (UA) and Web Server (WS) flows have two different security purposes. The main difference is that UA is used for untrusted clients, while WS is used for a server application; the WS uses a Client Secret (CS) as an extra authorization parameter to prevent spoofing servers.

The reason for this is that if a server is compromised, everyone using that server is compromised, and the CS can be changed to prevent those rogue servers from authenticating users. The UA flow naturally assumes the client is untrusted, which is okay, because each individual client has to be compromised in order to have a major security problem. It's a matter of scale.

So, the general rule is this: if the client is the one authenticating, use the UA flow, while if the server is the one authenticating, use the WS flow. While you can use either flow in either situation, using the wrong flow in the wrong situation is a majority security risk.

UA flows should be used for any mobile or desktop app where the source code may be viewed. WS flows should be used for any server/cloud application where the business logic source code cannot be viewed.


You are asking this question so you know that OAuth is used to grant an application access to Salesforce as a specific user. This application can be a server application (e.g. workbench, docusign) or client app (e.g. browser based app, mobile app). Distinction between these are client app's source code is distributed, server application's source code is protected.

In server application's case (web server flow), application first sends user to authenticate on salesforce. Salesforce then sends authorization code to the application. Application then uses this code and saved consumer secret to obtain oAuth token. Because of consumer secret, Salesforce trust this application. There are two api calls to get the OAuth token.

In client app's case (user access flow), after user authentication, salesforce appends oAuth token to the redirect url and redirects the user. You see, in this case consumer secret is not used. And, token is exposed. But this flow is more efficient as there is only one call to get the token. This token has very short life span.

There are other advanced options to enhance security in both the flows.

These links are also helpful - https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_authentication.htm https://auth0.com/docs/api-auth/which-oauth-flow-to-use