In this session we will talk about OAuth Concepts in Salesforce. You’ve likely heard of OAuth…but what exactly is it? How is it used in Salesforce and where does it fit in with other protocols like SAML? This webinar will answer these questions and more, including.
What is OAuth Concepts?
OAuth is short for open authorization. OAuth 2.0 is a framework that allows for a secure way for systems to establish trust with one another. The end goal is to obtain an access token that can be used by to access protected resources without ever providing your username or password to the other system
Actors in OAuth 2.0
What all are Oauth 2.0 Actors ?
- Resource Owner
- Client
- Resource Server
- Authorization Server
*User-Agent (sometimes)
Why use OAuth with Salesforce?
- Security!
- We know Salesforce is built on trust
- But what happens when we start communicating with other systems
or other systems talk to us? - It becomes OUR responsibility!
Where is OAuth Used in Salesforce?
A few examples of where you can use OAuth with the Salesforce Platform
Outbound | Inbound |
HTTP callouts | Mobile Apps |
Authentication via OpenID Connect | Web Apps |
Salesforce Connect | Smart Devices |
Middleware |
Depending on your use case, there is a combination of declarative and programatic elements required to leverage Oauth w/SFDC
Direction | Config | Code | |
HTTP Callouts | Outbound | Named Credential | The callout |
Authentication via OpenID Connect | Outbound | Connected App, Authentication Provider | Registration Handler for Auth Provider |
Mobile Apps, Web Apps, Smart Devices, Middleware | Inbound | Connected App | None (potentially) clients will just leverage the APIs |
Go With the Flow
Outbound:- When you are going outbound from SFDC w/named credentials SFDC uses the Web Server Flow OOTB
Inbound – you decide! Salesforce supports the following flows
- SAML Bearer Assertion
- JWT Bearer Token
- Refresh Token
- Web Server Authentication
- Username-Password
- User-Agent
- Device Authentication
- Asset Token
- SAML Assertion
Web Server Flow
- The gold standard
- Also called “authorization code” flow
- Used for web apps that can be trusted to secure the consumer secret (from the connected app that you set up….or that gets setup for you!)
- Remember our main goal?
- Web Server Authentication Flow provides an access token AND a refresh token
OAuth Concepts Video
Please note that we have limit of 300 attendees that can join the online sessions. However, recording will be posted on our YouTube channel. Make sure to subscribe our YouTube channel to get notification for video upload.
Let us know which topic you want learn next in ApexHours.
Thanks for the session Amit and Susannah.
Excellent exposition.
Glad you like it