The document discusses OAuth and its implementation for connected apps. It describes OAuth as a delegation protocol for conveying authorization across web apps and APIs. It then outlines the web server flow and user agent flow, including the different token types used. It demonstrates getting an access token via the web server flow and using it to query data. Finally, it provides information on refreshing access tokens before expired.
5. The OAuth specification defines a delegation
protocol that is useful for conveying
authorization decisions across a network of
web-enabled applications and APIs
Benefits :
- Security
- Maintenance
- Ease of Use
Why OAuth ?
App
Access App
Authenticate
Authorize
6. OAuth allows a client application restricted
access to your data at a resource server via tokens
issued by an authorization server in response to
your authorization.
Token Types:
Authorization Code
short-lived token created by the authorization server and
passed to the client application via the browser.
Access Token
The access token is used by the client to make
authenticated requests on behalf of the end user.
Refresh Token
The refresh token may have an indefinite lifetime
oAuth
8. Web Server Flow
Most web apps would use a web-server
flow to obtain a token on behalf of the
end-user
9. Authenticate, Authorize Client
Parameter Description
response_type Must be set to code to
request an authorization
code.
client_id Your application's client
identifier (consumer key in
Connected App Detail).
redirect_uri The end user's browser will
be redirected to this URI with
the authorization code. This
must match your application's
configured callback URL.
10. Token Response
Parameter Description
code The value returned by the
authorization server in the
previous step.
grant_type Set this to authorization_code.
client_id Your application's client identifier.
client_secret Your application's client secret
(consumer secret in the
connected app detail page).
redirect_uri Again, this must match your
application's configuration.
11. Web Server Flow: Response
Parameter Description
id A URL, representing the
authenticated user, which can
be used to access the Identity
Service.
instance_url Identifies the Salesforce
instance
refresh_token A long-lived token that may be
used to obtain a fresh access
token
access_token The short-lived access token.
13. User Agent Flow
The user agent flow allows client
applications running on user’s browser
to obtain an access token
14. Request Token
Parameter Description
response_type Value can be token, or token
id_token with the scope
parameter openid and a nonce
parameter
client_id Your application's client identifier
(consumer key in Connected
App Detail).
redirect_uri The end user's browser will be
redirected to this URI with the
authorization code. This must
match your application's
configured callback URL.
15. User Agent Flow: Response
Parameter Description
id A URL, representing the
authenticated user, which can
be used to access the Identity
Service.
instance_url Identifies the Salesforce
instance
refresh_token A long-lived token that may be
used to obtain a fresh access
token
access_token The short-lived access token.
16. Token Refresh
Once the lifetime of a token expires, the
client application can use the refresh
token to obtain a new access token
17. Request Token
Parameter Description
grant_type Set this to refresh_token.
client_id Your application's client
identifier.
client_secret Your application's client
secret (optional).
refresh_token The refresh token provided
in the previous
authorization.
18. Token Refresh: Response
Parameter Description
id A URL, representing the
authenticated user, which can
be used to access the Identity
Service.
instance_url Identifies the Salesforce
instance
refresh_token A long-lived token that may be
used to obtain a fresh access
token
access_token The short-lived access token.