SlideShare a Scribd company logo

CIS14: OAuth and OpenID Connect in Action

CloudIDSummit
CloudIDSummit

The document outlines the steps for implementing OAuth and OpenID Connect with Salesforce Identity, highlighting client registration, metadata retrieval, client initialization, and token usage. It also covers the use of social sign-on and just-in-time provisioning for improved federation, along with advanced features like enterprise policies and two-factor authentication. Additionally, it emphasizes the importance of refresh tokens for single sign-on (SSO) capabilities.

Technology
1 of 31
Downloaded 27 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
OAuth & OpenID Connect in Action Chuck Mortimore VP, Product Management Salesforce Identity @cmort
a quick demo client
CIS14: OAuth and OpenID Connect in Action
the world’s simplest client
1) Register an App 2) Get your Metadata 3) Create (initialize) your Client 4) Use your Tokens
1) Register an App
2) Get your Metadata https://login.salesforce.com/.well-known/openid-configuration
2) Get your Metadata { "issuer": "https://login.salesforce.com", "authorization_endpoint": "https://login.salesforce.com/services/oauth2/authorize", "token_endpoint": "https://login.salesforce.com/services/oauth2/token", "revocation_endpoint": "https://login.salesforce.com/services/oauth2/revoke", "userinfo_endpoint": "https://login.salesforce.com/services/oauth2/userinfo", "jwks_uri": "https://login.salesforce.com/id/keys", "scopes_supported": ["id", "api", "web", "full", "chatter_api", "visualforce", "refresh_token", "openid"], "response_types_supported": ["code", "token", "token id_token"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "display_values_supported": ["page", "popup", "touch"], "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt"] }
3) Create your Client https://login.salesforce.com/services/oauth2/authorize? response_type=code&redirect_uri=https%3A%2F %2Flocalhost&client_id=… curl -H 'Content-Type: application/x-www-form-urlencoded' -d "client_id=...&client_secret=...&redirect_uri=https%3A%2F %2Flocalhost&grant_type=authorization_code&code=..." https:// login.salesforce.com/services/oauth2/token …and validate your id_token
4) Use your access_token curl -H "Authorization: Bearer ..." https://login.salesforce.com/ services/oauth2/userprofile
CIS14: OAuth and OpenID Connect in Action
so what can we do with all this plumbing?
social sign-on
1) Register an App
2) Get your Metadata https://accounts.google.com/.well-known/openid-configuration
3) Initialize your client software
4) Just-in-Time Provisioning
faster, simpler, better federation
1) Register an App
2) Get your Metadata https://gold.pinglabs.net:9031/.well-known/openid-configuration
3) Initialize your client software
4) Map Users
5) Access APIs!
enterprise mobile apps
Let’s build this App
Refresh Tokens provide “SSO”
Let’s Layer in Federation
Let’s add Enterprise Policies
How about Two Factor Authentication
Bonus: Custom Claims
CIS14: OAuth and OpenID Connect in Action

More Related Content

Similar to CIS14: OAuth and OpenID Connect in Action (20)

PPTX
OAuth with Salesforce - Demystified
Calvin Noronha
 
PPTX
Mulesoft Salesforce Connector - OAuth 2.0 JWT Bearer
Vince Soliza
 
PDF
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
PDF
Authentication with OAuth and Connected Apps
Salesforce Developers
 
PDF
Digging Deeper into Desktop and Mobile App Security
Salesforce Developers
 
PPTX
OAuth Authorization flows in salesforce
Kishore B T
 
PDF
04 june meetup - An overview of OAuth2 on Force.com projects
Aldo Fernandez
 
PPTX
Deep dive into Salesforce Connected App
Dhanik Sahni
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PPTX
Hands-on with OAuth, Facebook and the Force.com Platform
Pat Patterson
 
PDF
ABCs of Security in the Cloud Webinar
Salesforce Developers
 
PPTX
Secure Development on the Salesforce Platform - Part 3
Mark Adcock
 
PPTX
Social Single Sign-On with OpenID Connect
James Melville
 
PPTX
Ladies Be Architects: Integration Study Group: Security & State Management
gemziebeth
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PDF
Iam f42 a
SelectedPresentations
 
PPT
O auth 2
Nisha Baswal
 
PDF
Engineering Student MuleSoft Meetup#7 - Leveraging MuleSoft Service in Salesf...
Jitendra Bafna
 
PPTX
Inbound rest web service
David Boukhors
 
KEY
Authentication Using Twitter, Google, Facebook, And More
Billy Cravens
 
OAuth with Salesforce - Demystified
Calvin Noronha
 
Mulesoft Salesforce Connector - OAuth 2.0 JWT Bearer
Vince Soliza
 
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
Authentication with OAuth and Connected Apps
Salesforce Developers
 
Digging Deeper into Desktop and Mobile App Security
Salesforce Developers
 
OAuth Authorization flows in salesforce
Kishore B T
 
04 june meetup - An overview of OAuth2 on Force.com projects
Aldo Fernandez
 
Deep dive into Salesforce Connected App
Dhanik Sahni
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Hands-on with OAuth, Facebook and the Force.com Platform
Pat Patterson
 
ABCs of Security in the Cloud Webinar
Salesforce Developers
 
Secure Development on the Salesforce Platform - Part 3
Mark Adcock
 
Social Single Sign-On with OpenID Connect
James Melville
 
Ladies Be Architects: Integration Study Group: Security & State Management
gemziebeth
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Iam f42 a
SelectedPresentations
 
O auth 2
Nisha Baswal
 
Engineering Student MuleSoft Meetup#7 - Leveraging MuleSoft Service in Salesf...
Jitendra Bafna
 
Inbound rest web service
David Boukhors
 
Authentication Using Twitter, Google, Facebook, And More
Billy Cravens
 

More from CloudIDSummit (20)

PPTX
CIS 2016 Content Highlights
CloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
Ad

Recently uploaded (20)

PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PDF
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PPSX
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
PDF
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
PDF
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
PPTX
Reimaginando la Ciberdefensa: De Copilots a Redes de Agentes
Cristian Garcia G.
 
PDF
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PDF
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
PDF
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
PDF
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
PDF
Bitkom eIDAS Summit | European Business Wallet: Use Cases, Macroeconomics, an...
Carsten Stoecker
 
PDF
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
PPTX
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
PDF
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
Reimaginando la Ciberdefensa: De Copilots a Redes de Agentes
Cristian Garcia G.
 
Hyderabad MuleSoft In-Person Meetup (June 21, 2025) Slides
Ravi Tamada
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
Bitkom eIDAS Summit | European Business Wallet: Use Cases, Macroeconomics, an...
Carsten Stoecker
 
🚀 Let’s Build Our First Slack Workflow! 🔧.pdf
SanjeetMishra29
 
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
Ad

CIS14: OAuth and OpenID Connect in Action

  • 1. OAuth & OpenID Connect in Action Chuck Mortimore VP, Product Management Salesforce Identity @cmort
  • 2. a quick demo client
  • 5. 1) Register an App 2) Get your Metadata 3) Create (initialize) your Client 4) Use your Tokens
  • 7. 2) Get your Metadata https://login.salesforce.com/.well-known/openid-configuration
  • 8. 2) Get your Metadata { "issuer": "https://login.salesforce.com", "authorization_endpoint": "https://login.salesforce.com/services/oauth2/authorize", "token_endpoint": "https://login.salesforce.com/services/oauth2/token", "revocation_endpoint": "https://login.salesforce.com/services/oauth2/revoke", "userinfo_endpoint": "https://login.salesforce.com/services/oauth2/userinfo", "jwks_uri": "https://login.salesforce.com/id/keys", "scopes_supported": ["id", "api", "web", "full", "chatter_api", "visualforce", "refresh_token", "openid"], "response_types_supported": ["code", "token", "token id_token"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "display_values_supported": ["page", "popup", "touch"], "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt"] }
  • 9. 3) Create your Client https://login.salesforce.com/services/oauth2/authorize? response_type=code&redirect_uri=https%3A%2F %2Flocalhost&client_id=… curl -H 'Content-Type: application/x-www-form-urlencoded' -d "client_id=...&client_secret=...&redirect_uri=https%3A%2F %2Flocalhost&grant_type=authorization_code&code=..." https:// login.salesforce.com/services/oauth2/token …and validate your id_token
  • 10. 4) Use your access_token curl -H "Authorization: Bearer ..." https://login.salesforce.com/ services/oauth2/userprofile
  • 12. so what can we do with all this plumbing?
  • 15. 2) Get your Metadata https://accounts.google.com/.well-known/openid-configuration
  • 16. 3) Initialize your client software
  • 20. 2) Get your Metadata https://gold.pinglabs.net:9031/.well-known/openid-configuration
  • 21. 3) Initialize your client software
  • 27. Let’s Layer in Federation
  • 29. How about Two Factor Authentication