Colors/Artwork (delete this slide when done)

OAuth BasicsFor Dummies Why Every Salesforce User Should CareNot Just For Geeks

1

Peter ChittumDeveloper Evangelist@pchittum

Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.The risks and uncertainties referred to above include but are not limited to risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Everything we show today will be current product, but this is a reminder to please make your purchasing decisions based on the product we have today, not on any forward-looking statements we may make.3

OAuthTrustIdentity

OAuth is fundamental to what we do at salesforce.com, the services we offer, and the trust that our customers expect of us. 4

Say It Like a ProO (as in go)

Auth (as in Goth)En Franais? O (as in go)

Auth (as in goat)

Check Other Local Pronunciation

Slide for fun. Fun sometimes helps people rememberbut this is optional. 5

Really Though, What the Heck is Oauth?Open Security Protocol http://oauth.net/Mitigate the security risk of a client-stored password

There is a lot of information out there on OAuth. The community and protocol are maintained at the URL above (oauth.net).

Client-stored passwords are dangerous. Ill make that point in a couple of slides. 6

We Use OAuth Every Day

I created this slide to help people understand that OAuth is being used every day, all the time, to help people establish secure connections between accounts.

Animation script: You want to connect two applications like Meetup and FacebookOn Meetup.coms site you visit your user profile social media settingsYou click the tickbox next to facebook to establish a connection to facebook from meetup. And you are presented the login page from facebook.comNotice the URL is now coming from facebook.com, meaning you are not providing your credentials to meetup, but rather to facebookOnce facebook establishes your identity you are given a screen to confirm you want to allow meetup to access your facebook informationMeetup updates with your information, presenting you with an option to revoke access at some point in the future. 7

Imagine Life Without OAuth

iamchatty@salesforce.commy$uperSecurePassw0rd

Chatty wants to access salesforce from his mobile device. He connects to his non-OAuth secured mobile applicationEnters in his very secure user id and passwordIt gets stored on the deviceHe can now access salesforceBut what happens when his password expires? He cant access salesforce anymoreOr worse, he loses his phoneNow someone who finds his phone might not only access salesforce, but if the person finding the phone can compromise the user id and password, they might gain access to other critical business systemsNow Chatty is unhappy

8

Identity as a Token

Access TokenRefresh Token

OAuth takes the credentials off the phoneNow Chatty is accessing salesforce using his OAuth enabled app like Salesforce1Chatty accesses the appA request to salesforce occurs to sign onSalesforce serves up its authentication page to the app (think the facebook example)The user provides a user id and password to salesforce and if authenticated salesforce delivers two tokens to the mobile appThese tokens are referred to as an access token and a refresh token

Note that the keys would need to be stored in a secure encrypted location for this to be secure, but this is the typical pattern.

9

Token?A Set of CharactersSometimes referred to as a hash200911381f7899d2482ab61fe8d15684469b17fc690b6a114a72b1e9d432e808A randomly generated set of characters based on an encryption algorithm based on another set of characters (usually referred to as a key)SecureUnique to user

The word token can sometimes confuse people.

Maybe this slide helps, maybe it doesnt.

10

Access TokenWe use the salesforce Session Id

Now Chatty is using tokens. The access token is short lived and directly linked to the user session.When he tries to access the appThe stored access token will be used to verify his identity. In lieu of the userid and password, the token grants him accessAt some point the session will expire. In this case the access token will be invalid

11

Refresh TokenGet new Session Id

When the access token is invalid, a different process occursChatty attempts access to salesforce1. Given the access token is invalid, the refresh token is usedIf verified, the refresh token will generate a new user session and access token, serving the access token back to be securely stored in the mobile device. 12

User Control Over OAuthMy Settings > Personal > Connections

Users have control over their OAuth tokens! Every user should learn how to control which connected apps will get to access their salesforce.com account. 13

Admin Control Over OAuthSetup > Users > Manage UsersOAuth Connected ApplicationsSetup > Administer > Connected AppsAuthorize or restrict access to OAuth AppsSetup > Administer > Connected Apps OAuth UsageWhat apps are connecting to your org?

Admins have control over their orgs. Admins can: Control the OAuth tokens of their usersRestrict or Authorize use of OAuth enabled applications, using Profiles and Permissions sets. Audit which OAuth apps are already connecting to their salesforce org.

14

Q&A

Salesforce Developer EventsELEVATE London21 March - This FRIDAY!!!http://bit.ly/ELEVATELon14

Thank You!