Join us and learn about Oauth authorization flow in Salesforce. This session will cover Oauth Web Server flow and Oauth JWT Bearer token flow. Join us to learn about Oauth Authorization flows in Salesforce.
Session Agenda
- Creating Connected App and Managing Connected App usage
- Oauth Web Server flow (walkthrough with Postman)
- Oauth JWT Bearer token flow (walkthrough with postman)
- Oauth JWT Bearer token flow (apex code walkthrough to integrate one salesforce org to another using JWT Bearer flow)
Connected App
A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. Connected apps use these protocols to authenticate, authorize, and provide single sign-on (SSO) for external apps.
Oauth Webserver Flow
The external web service—via the connected app—posts an authorization code request using the authorization code grant type to the Salesforce authorization endpoint.
With an authorization code, the connected app can prove that it’s been authorized as a safe site visitor and has permission to request an access token.
Steps involved in Web Server Flow
- https://login.salesforce.com/services/oauth2/authorize?client_id=xxx&redirect_uri=https://login.salesforce.com/oauth2/callback&response_type=code
- Endpoint for access token: https://login.salesforce.com/services/oauth2/token
Oauth JWT Bearer Token Flow
This is used for server-to-server integration scenarios. This flow uses a certificate to sign the JWT request and doesn’t require explicit
user interaction. However, this flow does require prior approval of the client app
Please note this flow never issues a refresh token.
JWT Structure
Header -{“alg”:”RS256″}
Payload (This contains claims information, which is an object containing information about the user and additional data. Claims are set using parameters-“Iss,aud, sub,exp”)
Signature
<headerbase64encodedurl>.<claimsbase64encodedclaims>.<signature(usesalgorithm like RS 256)>Apex Code without Named Credentials
Auth.JWT jwt = new Auth.JWT();
jwt.setSub('[email protected]');
jwt.setAud('https://login.salesforce.com'); jwt.setIss('connected app client
id');Auth.JWS jws = new Auth.JWS(jwt,’Certificate keystore name’);String token =
jws.getCompactSerialization();String tokenEndpoint ='https://login.salesforce.com/services/oauth2/token';
//POST the JWT bearer token
Auth.JWTBearerTokenExchange bearer = new Auth.JWTBearerTokenExchange(tokenEndpoint, jws);
//Get the access token
String accessToken = bearer.getAccessToken();
system.debug('Access Token-->'+accessToken);Apex Code with Named Credentials
String service_limits='/services/data/v48.0/sobjects/Account/listviews/';
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:JWT_Demo'+service_limits);
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());
System.debug(res.getstatuscode());Learn more about Salesforce OAuth 2.0 JWT Bearer flow.
Some Useful commands
Some Useful commands to convert .crt to keystore to store in SFDC
- openssl pkcs12 -export -in server.crt -inkey server.pem -out testkeystore.p12
- keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore servercert.jks -deststoretype JKS
- keytool -keystore //servercert.jks -changealias -alias 1 -destalias salesforcetest
Summary
If you like this session and blog, then please share your feedback. I hope this helped you to understand the Oauth Authorization flows in Salesforce.
Hi all content are usable but my scenario to get an access token is different we need to get the access token under the managed package application class connected app will be a part of the managed package to the time of executing the manage package class need to generate an access token and use further can you please suggest a batter way
Thank you! It was very helpful!
Glad you like it