Join us and learn about Oauth authorization flow in Salesforce. In this session we will cover Oauth Web Server flow and Oauth JWT Bearer token flow.
Agenda
- Creating Connected App and Managing Connected App usage
- Oauth Web Server flow (walkthrough with postman)
- Oauth JWT Bearer token flow (walkthrough with postman)
- Oauth JWT Bearer token flow (apex code walkthrough to integrate one salesforce org to another using JWT Bearer flow)
Connected App
A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. Connected apps use these protocols to authenticate, authorize and provide single sign-on (SSO) for external apps.
Oauth Webserver Flow
The external web service—via the connected app—posts an authorization code request using the authorization code grant type to the Salesforce authorization endpoint.
With an authorization code, the connected app can prove that it’s been authorized as a safe visitor to the site and that it has permission to request an access token.
Steps involved in Web Server Flow
- https://login.salesforce.com/services/oauth2/authorize?client_id=xxx&redirect_uri=https://login.salesforce.com/oauth2/callback&response_type=code
- Endpoint for access token: https://login.salesforce.com/services/oauth2/token
Oauth JWT Bearer Token Flow
This is used for server to server integration scenarios. This flow uses a certificate to sign the JWT request and doesn’t require explicit
user interaction. However, this flow does require prior approval of the client app
Please note this flows never issues a refresh token.
JWT Structure
Header -{“alg”:”RS256″}
Payload (This contains claims information which is an object containing
information about user and additional data.Claims are set using
parameters-“Iss,aud,sub,exp”)
Signature
<headerbase64encodedurl>.<claimsbase64encodedclaims>.<signature(usesalgorithm like RS 256)>Apex Code without Named Credentials
Auth.JWT jwt = new Auth.JWT();
jwt.setSub('[email protected]');
jwt.setAud('https://login.salesforce.com'); jwt.setIss('connected app client
id');Auth.JWS jws = new Auth.JWS(jwt,’Certificate keystore name’);String token =
jws.getCompactSerialization();String tokenEndpoint ='https://login.salesforce.com/services/oauth2/token';
//POST the JWT bearer token
Auth.JWTBearerTokenExchange bearer = new Auth.JWTBearerTokenExchange(tokenEndpoint, jws);
//Get the access token
String accessToken = bearer.getAccessToken();
system.debug('Access Token-->'+accessToken);Apex Code with Named Credentials
String service_limits='/services/data/v48.0/sobjects/Account/listviews/';
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:JWT_Demo'+service_limits);
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());
System.debug(res.getstatuscode());Recording
| Date : Sat, OCT 24, 2020 10:00 AM EST (7:30 PM IST) Speaker : Debarun Sengupta Where : Apex Hours YouTube |
Some Useful commands to convert .crt to keystore to store in SFDC
- openssl pkcs12 -export -in server.crt -inkey server.pem -out testkeystore.p12
- keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12
- -destkeystore servercert.jks -deststoretype JKS
- keytool -keystore //servercert.jks -changealias -alias 1 -destalias salesforcetest
If you like this session and blog then please share your feedback.
Hi all content are usable but my scenario to get an access token is different we need to get the access token under the managed package application class connected app will be a part of the managed package to the time of executing the manage package class need to generate an access token and use further can you please suggest a batter way
Thank you! It was very helpful!
Glad you like it