Deep Dive into OAuth for Connected Apps

2 likes1,136 views

The document discusses OAuth and its implementation for connected apps. It describes OAuth as a delegation protocol for conveying authorization across web apps and APIs. It then outlines the web server flow and user agent flow, including the different token types used. It demonstrates getting an access token via the web server flow and using it to query data. Finally, it provides information on refreshing access tokens before expired.

Technology

Deep Dive into OAuth for
Connected Apps
 Hargobind Singh
 Senior Manager
 hargobind.singh@capgemini.com
 @hargobindsingh

Hargobind Singh
Senior Manager, Capgemini

•  About oAuth
•  Implementation Scenarios
•  Demo
•  Wrap Up
Overview

The OAuth speciﬁcation deﬁnes a delegation
protocol that is useful for conveying
authorization decisions across a network of
web-enabled applications and APIs
 Beneﬁts :
 - Security
 - Maintenance
 - Ease of Use
Why OAuth ?
App
Access App
Authenticate
Authorize

OAuth allows a client application restricted
access to your data at a resource server via tokens
issued by an authorization server in response to
your authorization.
 Token Types:
Authorization Code
short-lived token created by the authorization server and
passed to the client application via the browser.
Access Token
The access token is used by the client to make
authenticated requests on behalf of the end user.
Refresh Token
The refresh token may have an indeﬁnite lifetime
oAuth

Web Server Flow
 Most web apps would use a web-server
ﬂow to obtain a token on behalf of the
end-user

Authenticate, Authorize Client
Parameter Description
response_type Must be set to code to
request an authorization
code.
client_id Your application's client
identifier (consumer key in
Connected App Detail).
redirect_uri The end user's browser will
be redirected to this URI with
the authorization code. This
must match your application's
configured callback URL.

Token Response
Parameter Description
code The value returned by the
authorization server in the
previous step.
grant_type Set this to authorization_code.
client_id Your application's client identifier.
client_secret Your application's client secret
(consumer secret in the
connected app detail page).
redirect_uri Again, this must match your
application's configuration.

Web Server Flow: Response
Parameter Description
id A URL, representing the
authenticated user, which can
be used to access the Identity
Service.
instance_url Identifies the Salesforce
instance
refresh_token A long-lived token that may be
used to obtain a fresh access
token
access_token The short-lived access token.

Web Server Flow - Response
 Sample Response

User Agent Flow
 The user agent ﬂow allows client
applications running on user’s browser
to obtain an access token

Request Token
Parameter Description
response_type Value can be token, or token
id_token with the scope
parameter openid and a nonce
parameter
client_id Your application's client identifier
(consumer key in Connected
App Detail).
redirect_uri The end user's browser will be
redirected to this URI with the
authorization code. This must
match your application's
configured callback URL.

User Agent Flow: Response
Parameter Description
id A URL, representing the
authenticated user, which can
be used to access the Identity
Service.
instance_url Identifies the Salesforce
instance
refresh_token A long-lived token that may be
used to obtain a fresh access
token
access_token The short-lived access token.

Token Refresh
 Once the lifetime of a token expires, the
client application can use the refresh
token to obtain a new access token

Request Token
Parameter Description
grant_type Set this to refresh_token.
client_id Your application's client
identifier.
client_secret Your application's client
secret (optional).
refresh_token The refresh token provided
in the previous
authorization.

Token Refresh: Response
Parameter Description
id A URL, representing the
authenticated user, which can
be used to access the Identity
Service.
instance_url Identifies the Salesforce
instance
refresh_token A long-lived token that may be
used to obtain a fresh access
token
access_token The short-lived access token.

Demo
 Connected App
 Web Server Flow:
•  Send request to get token
•  Send token to get Access Token
•  Use Access Token to query data

Wrap Up
 What we covered:
•  oAuth Basics
•  oAuth Implementation Flows
•  Demo
 More Info:
•  Salesforce oAuth Documentation

Questions
 Hargobind Singh
 @hargobindsingh

More Related Content

What's hot (20)

PDF

Api Testing.pdfJitendraYadav351971

PPTX

An Introduction to OAuth 2Aaron Parecki

PPTX

Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin

PDF

Introduction to OpenID Connect Nat Sakimura

PPTX

OAuth2 + API SecurityAmila Paranawithana

PDF

OAuth 2.0Uwe Friedrichsen

PPTX

Api TestingVishwanath KC

PDF

API Security Best Practices & GuidelinesPrabath Siriwardena

PDF

REST API and CRUDPrem Sanil

PPTX

An Introduction to OAuth2Aaron Parecki

PPTX

Burp suiteSOURABH DESHMUKH

PPTX

OpenID Connect: An OverviewPat Patterson

PPTX

OAuth with Salesforce - DemystifiedCalvin Noronha

PPT

Postman.pptParrotBAD

PDF

Api security-testingn|u - The Open Security Community

PDF

Keycloak Single Sign-OnRavi Yasas

PDF

OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon

PPTX

Api typesSarah Maddox

PDF

Spring security oauth2axykim00

PDF

OAuth 2.0 and OpenID ConnectJacob Combs

Api Testing.pdfJitendraYadav351971

An Introduction to OAuth 2Aaron Parecki

Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin

Introduction to OpenID Connect Nat Sakimura

OAuth2 + API SecurityAmila Paranawithana

OAuth 2.0Uwe Friedrichsen

Api TestingVishwanath KC

API Security Best Practices & GuidelinesPrabath Siriwardena

REST API and CRUDPrem Sanil

An Introduction to OAuth2Aaron Parecki

Burp suiteSOURABH DESHMUKH

OpenID Connect: An OverviewPat Patterson

OAuth with Salesforce - DemystifiedCalvin Noronha

Postman.pptParrotBAD

Api security-testingn|u - The Open Security Community

Keycloak Single Sign-OnRavi Yasas

OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon

Api typesSarah Maddox

Spring security oauth2axykim00

OAuth 2.0 and OpenID ConnectJacob Combs

Similar to Deep Dive into OAuth for Connected Apps (20)

PDF

Authentication with OAuth and Connected AppsSalesforce Developers

PDF

04 june meetup - An overview of OAuth2 on Force.com projectsAldo Fernandez

PPTX

Deep dive into Salesforce Connected AppDhanik Sahni

PDF

Digging Deeper into Desktop and Mobile App SecuritySalesforce Developers

PPTX

Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth

PPTX

Hands-on with OAuth, Facebook and the Force.com PlatformPat Patterson

PDF

CIS14: OAuth and OpenID Connect in ActionCloudIDSummit

PDF

CIS14: OAuth and OpenID Connect in ActionCloudIDSummit

PPTX

OAuth Authorization flows in salesforceKishore B T

PPTX

Y U No OAuth?!?Jason Robert

PPTX

O auth with facebook and google using .netSathyaish Chakravarthy

PPTX

OAuth2 Authorization Server Under the HoodLohika_Odessa_TechTalks

PPT

O auth 2Nisha Baswal

PPTX

Mulesoft Salesforce Connector - OAuth 2.0 JWT BearerVince Soliza

PPTX

Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsJason Robert

PPTX

Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti

PDF

Iam f42 aSelectedPresentations

PPTX

Wso2 is integration with .net coreIsmaeel Enjreny

PDF

OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui

PDF

Demystifying OAuth 2.0Karl McGuinness

Authentication with OAuth and Connected AppsSalesforce Developers

04 june meetup - An overview of OAuth2 on Force.com projectsAldo Fernandez

Deep dive into Salesforce Connected AppDhanik Sahni

Digging Deeper into Desktop and Mobile App SecuritySalesforce Developers

Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth

Hands-on with OAuth, Facebook and the Force.com PlatformPat Patterson

CIS14: OAuth and OpenID Connect in ActionCloudIDSummit

OAuth Authorization flows in salesforceKishore B T

Y U No OAuth?!?Jason Robert

O auth with facebook and google using .netSathyaish Chakravarthy

OAuth2 Authorization Server Under the HoodLohika_Odessa_TechTalks

O auth 2Nisha Baswal

Mulesoft Salesforce Connector - OAuth 2.0 JWT BearerVince Soliza

Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsJason Robert

Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti

Iam f42 aSelectedPresentations

Wso2 is integration with .net coreIsmaeel Enjreny

OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui

Demystifying OAuth 2.0Karl McGuinness

More from Salesforce Developers (20)

PDF

Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers

PDF

Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers

PDF

Local development with Open Source Base ComponentsSalesforce Developers

PPTX

TrailheaDX India : Developer HighlightsSalesforce Developers

PDF

Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers

PPTX

CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers

PPTX

CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers

PPTX

Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers

PPTX

TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers

PDF

Live coding with LWCSalesforce Developers

PDF

Lightning web components - Episode 4 : Security and TestingSalesforce Developers

PDF

LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers

PDF

Lightning web components episode 2- work with salesforce dataSalesforce Developers

PDF

Lightning web components - Episode 1 - An IntroductionSalesforce Developers

PDF

Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers

PDF

Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers

PDF

Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers

PDF

Modern Development with Salesforce DXSalesforce Developers

PDF

Get Into Lightning Flow DevelopmentSalesforce Developers

PDF

Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSalesforce Developers

Maximizing Salesforce Lightning Experience and Lightning Component PerformanceSalesforce Developers

Local development with Open Source Base ComponentsSalesforce Developers

TrailheaDX India : Developer HighlightsSalesforce Developers

Why developers shouldn’t miss TrailheaDX IndiaSalesforce Developers

CodeLive: Build Lightning Web Components faster with Local DevelopmentSalesforce Developers

CodeLive: Converting Aura Components to Lightning Web ComponentsSalesforce Developers

Enterprise-grade UI with open source Lightning Web ComponentsSalesforce Developers

TrailheaDX and Summer '19: Developer HighlightsSalesforce Developers

Live coding with LWCSalesforce Developers

Lightning web components - Episode 4 : Security and TestingSalesforce Developers

LWC Episode 3- Component Communication and Aura InteroperabilitySalesforce Developers

Lightning web components episode 2- work with salesforce dataSalesforce Developers

Lightning web components - Episode 1 - An IntroductionSalesforce Developers

Migrating CPQ to Advanced Calculator and JSQCPSalesforce Developers

Scale with Large Data Volumes and Big Objects in SalesforceSalesforce Developers

Replicate Salesforce Data in Real Time with Change Data CaptureSalesforce Developers

Modern Development with Salesforce DXSalesforce Developers

Get Into Lightning Flow DevelopmentSalesforce Developers

Integrate CMS Content Into Lightning Communities with CMS ConnectSalesforce Developers

Recently uploaded (20)

PDF

ICONIQ State of AI Report 2025 - The Builder's PlaybookRazin Mustafiz

PDF

''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...Fwdays

PDF

How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdfBluechip Advanced Technologies

PPTX

CapCut Pro PC Crack Latest Version Free Freejosanj305

PPTX

Mastering Authorization: Integrating Authentication and Authorization Data in...Hitachi, Ltd. OSS Solution Center.

PDF

DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdfCyberPro Magazine

PDF

Kubernetes - Architecture & Components.pdfgeethak285

PPTX

Wondershare Filmora Crack Free Download 2025josanj305

PPSX

Usergroup - OutSystems Architecture.ppsxKurt Vandevelde

PDF

Understanding AI Optimization AIO, LLMO, and GEOCoDigital

PPTX

Reimaginando la Ciberdefensa: De Copilots a Redes de AgentesCristian Garcia G.

PDF

Proactive Server and System Monitoring with FME: Using HTTP and System Caller...Safe Software

PDF

🚀 Let’s Build Our First Slack Workflow! 🔧.pdfSanjeetMishra29

PDF

ArcGIS Utility Network Migration - The Hunter Water StorySafe Software

PDF

Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...Safe Software

PDF

My Journey from CAD to BIM: A True Underdog StorySafe Software

PDF

Understanding The True Cost of DynamoDB WebinarScyllaDB

PDF

Optimizing the trajectory of a wheel loader working in short loading cyclesReno Filla

PDF

Hello I'm "AI" Your New _________________Dr. Tathagat Varma

PDF

Quantum Threats Are Closer Than You Think – Act Now to Stay SecureWSO2

ICONIQ State of AI Report 2025 - The Builder's PlaybookRazin Mustafiz

''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...Fwdays

How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdfBluechip Advanced Technologies

CapCut Pro PC Crack Latest Version Free Freejosanj305

Mastering Authorization: Integrating Authentication and Authorization Data in...Hitachi, Ltd. OSS Solution Center.

DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdfCyberPro Magazine

Kubernetes - Architecture & Components.pdfgeethak285

Wondershare Filmora Crack Free Download 2025josanj305

Usergroup - OutSystems Architecture.ppsxKurt Vandevelde

Understanding AI Optimization AIO, LLMO, and GEOCoDigital

Reimaginando la Ciberdefensa: De Copilots a Redes de AgentesCristian Garcia G.

Proactive Server and System Monitoring with FME: Using HTTP and System Caller...Safe Software

🚀 Let’s Build Our First Slack Workflow! 🔧.pdfSanjeetMishra29

ArcGIS Utility Network Migration - The Hunter Water StorySafe Software

Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...Safe Software

My Journey from CAD to BIM: A True Underdog StorySafe Software

Understanding The True Cost of DynamoDB WebinarScyllaDB

Optimizing the trajectory of a wheel loader working in short loading cyclesReno Filla

Hello I'm "AI" Your New _________________Dr. Tathagat Varma

Quantum Threats Are Closer Than You Think – Act Now to Stay SecureWSO2

Deep Dive into OAuth for Connected Apps

1. Deep Dive into OAuth for Connected Apps  Hargobind Singh  Senior Manager  [email protected]  @hargobindsingh  

2. Hargobind Singh Senior Manager, Capgemini

3. •  About oAuth •  Implementation Scenarios •  Demo •  Wrap Up Overview

4. About oAuth

5.  The OAuth specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs  Benefits :  - Security  - Maintenance  - Ease of Use Why OAuth ? App Access App Authenticate Authorize

6.  OAuth allows a client application restricted access to your data at a resource server via tokens issued by an authorization server in response to your authorization.  Token Types: Authorization Code short-lived token created by the authorization server and passed to the client application via the browser. Access Token The access token is used by the client to make authenticated requests on behalf of the end user. Refresh Token The refresh token may have an indeﬁnite lifetime oAuth

7. Implementation Scenarios

8. Web Server Flow  Most web apps would use a web-server ﬂow to obtain a token on behalf of the end-user

9. Authenticate, Authorize Client Parameter Description response_type Must be set to code to request an authorization code. client_id Your application's client identifier (consumer key in Connected App Detail). redirect_uri The end user's browser will be redirected to this URI with the authorization code. This must match your application's configured callback URL.

10. Token Response Parameter Description code The value returned by the authorization server in the previous step. grant_type Set this to authorization_code. client_id Your application's client identifier. client_secret Your application's client secret (consumer secret in the connected app detail page). redirect_uri Again, this must match your application's configuration.

11. Web Server Flow: Response Parameter Description id A URL, representing the authenticated user, which can be used to access the Identity Service. instance_url Identifies the Salesforce instance refresh_token A long-lived token that may be used to obtain a fresh access token access_token The short-lived access token.

12. Web Server Flow - Response  Sample Response

13. User Agent Flow  The user agent ﬂow allows client applications running on user’s browser to obtain an access token

14. Request Token Parameter Description response_type Value can be token, or token id_token with the scope parameter openid and a nonce parameter client_id Your application's client identifier (consumer key in Connected App Detail). redirect_uri The end user's browser will be redirected to this URI with the authorization code. This must match your application's configured callback URL.

15. User Agent Flow: Response Parameter Description id A URL, representing the authenticated user, which can be used to access the Identity Service. instance_url Identifies the Salesforce instance refresh_token A long-lived token that may be used to obtain a fresh access token access_token The short-lived access token.

16. Token Refresh  Once the lifetime of a token expires, the client application can use the refresh token to obtain a new access token

17. Request Token Parameter Description grant_type Set this to refresh_token. client_id Your application's client identifier. client_secret Your application's client secret (optional). refresh_token The refresh token provided in the previous authorization.

18. Token Refresh: Response Parameter Description id A URL, representing the authenticated user, which can be used to access the Identity Service. instance_url Identifies the Salesforce instance refresh_token A long-lived token that may be used to obtain a fresh access token access_token The short-lived access token.

19. Demo

20. Demo  Connected App  Web Server Flow: •  Send request to get token •  Send token to get Access Token •  Use Access Token to query data

21. Wrap Up

22. Wrap Up  What we covered: •  oAuth Basics •  oAuth Implementation Flows •  Demo  More Info: •  Salesforce oAuth Documentation

23. Questions  Hargobind Singh  @hargobindsingh

24. Thank you