IAM

Question 1

Authentication

Answer 1

Your Username + Your Password (who you are)

Question 2

Authorization

Answer 2

Your Permissions (what you are allowed to do)

Question 3

Service Provider (SP)

Answer 3

An application that provides some service to the end user. It accepts identity from an identity provider

Question 4

Identity Provider (IdP)

Answer 4

A trusted service that enables users to access other websites and services without logging in again

Question 5

OAuth (Open Authorization)

Answer 5

An open protocol to allow secure API authorization in a simple and standardized way from desktop and web applications

Question 6

The Force.com platform implements the OAuth 2.0 Authorization Framework so that users can…

Answer 6

Authorize applications to access Force.com resources (via the Force.com REST and SOAP Web Service APIs) or Chatter resources (via the Chatter REST API) on their behalf without revealing their passwords or other credentials to those applications. Alternatively, applications can directly authenticate to access the same resources without the presence of an end user

Question 7

Web Server OAuth Flow

Answer 7

Users can authorize your web application to access their data. Typically used for web applications where server-side code needs to interact with Force.com APIs on the user’s behalf. A critical aspect of the web server flow is that the server must be able to protect the consumer secret

Question 8

User Agent OAuth Flow

Answer 8

Users can authorize your desktop or mobile application to access their data, leveraging an external or embedded browser (or user-agent) for authentication. Difference with web server flow is that client cannot keep consumer secret confidential and is used for desktop & mobile applications

Question 9

OAuth 2.0 Refresh Token OAuth Flow

Answer 9

Renews tokens issued by the web server or user-agent flows

Question 10

JWT Bearer Token OAuth Flow

Answer 10

An app can re-use an existing authorization by supplying a signed JSON Web Token (JWT) and this flow does not use a refresh token.

Question 11

Access Token

Answer 11

Used by the client to make authenticated requests on behalf of the end user

Question 12

Refresh Token

Answer 12

May have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server

Question 13

redirect_uri

Answer 13

The end user’s browser will be redirected to this URI with the authorization code. This must match your application’s configured callback URL

Question 14

state

Answer 14

If a value was provided for the state parameter in the request, then that same value will be returned here

Question 15

Connected Apps

Answer 15

Designed to be run independently of the user interface. Either the app is hosted on an external website that interfaces with salesforce.com, or is a desktop or mobile app that runs on a client. Authentication for a connected app is client-initiated and must be done per-client

Question 16

OAuth Policies of a Connected App is used to…

Answer 16

Gives you control over how a connected app connects and who’s allowed to use it. You can specify:

• Which users have access to the app
• Relax or enforce your organization’s IP restrictions for Salesforce1 users
• Determine how long a mobile user’s token is valid before requiring them to reenter their credentials

Question 17

Permitted Users

Answer 17

Determines who can access the Connected App.