Activity Forums Salesforce® Discussions What is OAuth in salesforce?

  • Deepak

    Member
    September 25, 2019 at 7:47 am

    When users request Salesforce data from within the external app (the consumer’s page), Salesforce authenticates the user. The authentication flow consists of several steps, dictated by the OAuth standard and who is trying to access Salesforce.

    Digging Deeper into OAuth 2.0 in Salesforce
    OAuth (Open Authorization) is an open protocol that provides secure API authorization from applications in a simple and standardized way. OAuth can authorize access to resources without revealing user credentials to apps. Apps that use OAuth can also directly authenticate and access Salesforce resources without a user’s presence.
    OAuth 1.0.A Authentication Flow
    OAuth 1.0.A has a single authentication flow. The diagram displays the authentication flow steps for OAuth 1.0.A.
    OAuth 1.0.A Error Codes
    On error, Salesforce returns an error code during the OAuth 1.0.A authentication flow.
    OAuth 2.0 SAML Bearer Assertion Flow
    The OAuth 2.0 SAML bearer assertion flow defines how a SAML assertion is used to request an OAuth access token when a client wants to use a previous authorization. Authentication of the authorized app is provided by the digital signature applied to the SAML assertion. A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider. The service provider relies on its content to identify the assertion’s subject for security-related purposes.
    OAuth 2.0 JWT Bearer Token Flow
    In some cases, you want to authenticate servers without interactively logging in each time the servers exchange information. For these cases, you can use the OAuth 2.0 JSON Web Token (JWT) bearer flow. This flow requires prior authentication of the client app.
    OAuth 2.0 Refresh Token Flow
    The OAuth 2.0 refresh token flow renews tokens issued by the web server or user-agent flows.
    OAuth 2.0 Web Server Authentication Flow
    Apps that are hosted on a secure server use the web server authentication flow. A critical aspect of the web server flow is that the server must be able to protect the consumer secret. You can use code challenges and verifier values in the flow to prevent authorization code interception.
    OAuth 2.0 Username-Password Flow
    Use the username-password authentication flow to authenticate when the consumer already has the user’s credentials.
    OAuth 2.0 User-Agent Flow
    With the OAuth 2.0 user-agent authentication flow, users authorize your desktop or mobile app to access their data. Client apps that run on a device or in a browser use this flow to obtain an access token.
    OAuth 2.0 Device Authentication Flow
    The OAuth 2.0 device authentication flow is typically used by applications on devices with limited input or display capabilities, such as TVs, appliances, or command-line applications. Users can connect these client applications to Salesforce by accessing a browser on a separate device that has more developed input capabilities, such as a desktop computer or smartphone.
    OAuth 2.0 Asset Token Flow
    Client applications use the OAuth 2.0 asset token flow to request an asset token from Salesforce for connected devices. In this flow, an OAuth access token and an actor token are exchanged for an asset token. This flow combines asset token issuance and asset registration for efficient token exchange and automatic linking of devices to Service Cloud Asset data.
    SAML Assertion Flow
    The SAML assertion flow is an alternative for orgs that are currently using SAML to access Salesforce and want to access the web services API the same way. You can use the SAML assertion flow only inside a single org. You don’t have to create a connected app to use this assertion flow. Clients can use this assertion flow to federate with the API using a SAML assertion, the same way they federate with Salesforce for web single sign-on.
    Scope Parameter Values
    The scope parameter fine-tunes the permissions associated with the tokens that you’re requesting. Scope is a subset of values that you specified when defining the connected app.
    OAuth Custom Scopes
    A connected app can use the OAuth authorization protocol to access protected resources. As part of the protocol, OAuth default scopes fine-tune the app’s permissions to access protected resources in Salesforce. However, these default scopes are insufficient when an external entity is hosting the protected resource. In this scenario, Salesforce plays the role of OAuth authentication and authorization provider, but it has little knowledge about the resource it’s protecting. To define a connected app’s permissions to access protected resources hosted by an external entity, create an OAuth custom scope. The custom scope tells the external entity which information the connected app is authorized to access.
    Revoke OAuth Tokens
    Revoke an OAuth token if you don’t want the client app to access Salesforce data or if you don’t trust the client app to discontinue access on its own.
    Use the Access Token
    You can use the access token in either the HTTP authorization header (REST API or Identity URL) or the SessionHeader SOAP authentication header, (SOAP API).
    Get and Verify an ID Token
    The ID token is a signed data structure that contains authenticated user attributes, including a unique identifier for the user and when the token was issued. It also identifies the requesting client app. The ID token is defined by OpenID Connect.
    Identity URLs
    An identity URL uniquely identifies the current Salesforce user. You can also use it in an HTTP request to get more information about the user.
    UserInfo Endpoint
    OpenID Connect defines the UserInfo endpoint to get a user’s profile information.
    Prepare for Dynamic Client Registration
    Before you can automatically register OAuth 2.0 connected apps with Salesforce using the dynamic client registration endpoint, you must complete the following prerequisites.
    Generate an Initial Access Token
    OpenID Connect dynamic client registration lets OAuth 2.0 clients (connected apps) automatically register child connected apps with Salesforce. To authenticate these client registration requests, Salesforce requires an initial access token.
    OpenID Connect Dynamic Client Registration Endpoint
    OpenID Connect dynamic client registration lets OAuth clients automatically register OAuth 2.0 connected apps with Salesforce. For example, Mulesoft (an OAuth client) can send a request to the dynamic client endpoint to register a new child OAuth 2.0 connected client app with Salesforce. With a successful registration, Salesforce returns a new client identifier and metadata about the newly registered child OAuth 2.0 connected client app.
    OpenID Connect Token Introspection Endpoint
    OpenID Connect token introspection enables OAuth 2.0 connected client apps to check the current state of an OAuth 2.0 access or refresh token.
    OpenID Connect Discovery Endpoint
    Use the OpenID Connect discovery endpoint to query for information about the Salesforce OpenID Connect configuration.
    Authentication Configuration Endpoint
    The authentication configuration endpoint is a static page that you can use to query for information about an org’s SAML for single sign-on and authentication provider settings. No session is required. It’s available only for Salesforce communities or orgs with My Domains. Use this URL when you’re developing apps that need this information on deman

Log In to reply.

Popular Salesforce Blogs

Popular Salesforce Videos