Deep Dive into OAuth for Connected Apps

Download Deep Dive into OAuth for Connected Apps

Post on 08-Feb-2017

241 views

Category:

Technology

15 download

TRANSCRIPT

  • Deep Dive into OAuth for Connected Apps

    Hargobind Singh Senior Manager hargobind.singh@capgemini.com @hargobindsingh

  • Hargobind Singh Senior Manager, Capgemini

  • About oAuth

    Implementation Scenarios

    Demo

    Wrap Up

    Overview

  • About oAuth

  • The OAuth specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs

    Benefits :

    - Security

    - Maintenance

    - Ease of Use

    Why OAuth ?

    App

    Access App

    Authenticate

    Authorize

  • OAuth allows aclientapplication restricted access to your data at aresource servervia tokens issued by anauthorization serverin response to yourauthorization.

    Token Types: Authorization Code

    short-lived token created by the authorization server and passed to the client application via the browser.

    Access Token

    The access token is used by the client to make authenticated requests on behalf of the end user.

    Refresh Token

    The refresh token may have an indefinite lifetime

    oAuth

  • Implementation Scenarios

  • Web Server Flow

    Most web apps would use a web-server flow to obtain a token on behalf of the end-user

  • Authenticate, Authorize Client

    Parameter Description

    response_type Must be set to code to request an authorization code.

    client_id Your application's client identifier (consumer key in Connected App Detail).

    redirect_uri The end user's browser will be redirected to this URI with the authorization code. This must match your application's configured callback URL.

  • Token Response Parameter Description

    code The value returned by the authorization server in the previous step.

    grant_type Set this to authorization_code.

    client_id Your application's client identifier.

    client_secret Your application's client secret (consumer secret in the connected app detail page).

    redirect_uri Again, this must match your application's configuration.

  • Web Server Flow: Response

    Parameter Description

    id A URL, representing the authenticated user, which can be used to access the Identity Service.

    instance_url Identifies the Salesforce instance

    refresh_token A long-lived token that may be used to obtain a fresh access token

    access_token The short-lived access token.

  • Web Server Flow - Response

    Sample Response

  • User Agent Flow

    The user agent flow allows client applications running on users browser to obtain an access token

  • Request Token

    Parameter Description

    response_type Value can be token, or token id_token with the scope parameter openid and a nonce parameter

    client_id Your application's client identifier (consumer key in Connected App Detail).

    redirect_uri The end user's browser will be redirected to this URI with the authorization code. This must match your application's configured callback URL.

  • User Agent Flow: Response

    Parameter Description

    id A URL, representing the authenticated user, which can be used to access the Identity Service.

    instance_url Identifies the Salesforce instance

    refresh_token A long-lived token that may be used to obtain a fresh access token

    access_token The short-lived access token.

  • Token Refresh

    Once the lifetime of a token expires, the client application can use the refresh token to obtain a new access token

  • Request Token

    Parameter Description

    grant_type Set this to refresh_token.

    client_id Your application's client identifier.

    client_secret Your application's client secret (optional).

    refresh_token The refresh token provided in the previous authorization.

  • Token Refresh: Response

    Parameter Description

    id A URL, representing the authenticated user, which can be used to access the Identity Service.

    instance_url Identifies the Salesforce instance

    refresh_token A long-lived token that may be used to obtain a fresh access token

    access_token The short-lived access token.

  • Demo

  • Demo

    Connected App

    Web Server Flow: Send request to get token

    Send token to get Access Token

    Use Access Token to query data

  • Wrap Up

  • Wrap Up

    What we covered: oAuth Basics

    oAuth Implementation Flows

    Demo

    More Info: Salesforce oAuth Documentation

  • Questions

    Hargobind Singh

    @hargobindsingh

  • Thank you