What is a good OAUTH 2.0 workflow to use to secure access to an externally hosted web API using salesforce identity, such that all requests to the web API can be guarded against unauthorised access?
I originally thought a user would generate an OAUTH access token by communicating directly with the authentication end point, then pass that token to the external web API for each request they make, where it would be validated by the web API before performing the work.
However there doesn't appear to be a "validate access token" request on the salesforce authentication endpoint that can be used by the web API to validate access tokens. I can't see any authentication flows specific to this use-case in the Salesforce documentation, so I assume I am misunderstanding something.
Why don't you just call something in SF? If the access token you got is invalid (session expired, admin killed the session in Setup -> Session Management etc) it'll fail? Call
idresource from successful login (see https://salesforce.stackexchange.com/q/11728/799) or run a query on User object or/limitsresource... anything?It might be an overkill (really, validate on every request?), it might fail when user is not marked "API Enabled" in SF. And every time you call it'll reset the session timeout counter.
Maybe ask on salesforce.stackexchange.com too.