Deep Dive into OAuth for Connected Apps
date post
08-Feb-2017Category
Technology
view
253download
15
Embed Size (px)
Transcript of Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Hargobind Singh Senior Manager hargobind.singh@capgemini.com @hargobindsingh
Hargobind Singh Senior Manager, Capgemini
About oAuth
Implementation Scenarios
Demo
Wrap Up
Overview
About oAuth
The OAuth specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs
Benefits :
- Security
- Maintenance
- Ease of Use
Why OAuth ?
App
Access App
Authenticate
Authorize
OAuth allows aclientapplication restricted access to your data at aresource servervia tokens issued by anauthorization serverin response to yourauthorization.
Token Types: Authorization Code
short-lived token created by the authorization server and passed to the client application via the browser.
Access Token
The access token is used by the client to make authenticated requests on behalf of the end user.
Refresh Token
The refresh token may have an indefinite lifetime
oAuth
Implementation Scenarios
Web Server Flow
Most web apps would use a web-server flow to obtain a token on behalf of the end-user
Authenticate, Authorize Client
Parameter Description
response_type Must be set to code to request an authorization code.
client_id Your application's client identifier (consumer key in Connected App Detail).
redirect_uri The end user's browser will be redirected to this URI with the authorization code. This must match your application's configured callback URL.
Token Response Parameter Description
code The value returned by the authorization server in the previous step.
grant_type Set this to authorization_code.
client_id Your application's client identifier.
client_secret Your application's client secret (consumer secret in the connected app detail page).
redirect_uri Again, this must match your application's configuration.
Web Server Flow: Response
Parameter Description
id A URL, representing the authenticated user, which can be used to access the Identity Service.
instance_url Identifies the Salesforce instance
refresh_token A long-lived token that may be used to obtain a fresh access token
access_token The short-lived access token.
Web Server Flow - Response
Sample Response
User Agent Flow
The user agent flow allows client applications running on users browser to obtain an access token
Request Token
Parameter Description
response_type Value can be token, or token id_token with the scope parameter openid and a nonce parameter
client_id Your application's client identifier (consumer key in Connected App Detail).
redirect_uri The end user's browser will be redirected to this URI with the authorization code. This must match your application's configured callback URL.
User Agent Flow: Response
Parameter Description
id A URL, representing the authenticated user, which can be used to access the Identity Service.
instance_url Identifies the Salesforce instance
refresh_token A long-lived token that may be used to obtain a fresh access token
access_token The short-lived access token.
Token Refresh
Once the lifetime of a token expires, the client application can use the refresh token to obtain a new access token
Request Token
Parameter Description
grant_type Set this to refresh_token.
client_id Your application's client identifier.
client_secret Your application's client secret (optional).
refresh_token The refresh token provided in the previous authorization.
Token Refresh: Response
Parameter Description
id A URL, representing the authenticated user, which can be used to access the Identity Service.
instance_url Identifies the Salesforce instance
refresh_token A long-lived token that may be used to obtain a fresh access token
access_token The short-lived access token.
Demo
Demo
Connected App
Web Server Flow: Send request to get token
Send token to get Access Token
Use Access Token to query data
Wrap Up
Wrap Up
What we covered: oAuth Basics
oAuth Implementation Flows
Demo
More Info: Salesforce oAuth Documentation
Questions
Hargobind Singh
@hargobindsingh
Thank you
Recommended