Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Identity & Access Management > OAuth > Flashcards

OAuth Flashcards

1
Q

When should you use the Web Server flow?

A

When the server hosting the web app is able to protect the connected app’s identity - defined by client ID and client secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the end to end steps in the Web server flow?

A
  1. Request an authorization code using client ID
  2. User authenticates and authorises access
  3. SF grants authorization code
  4. Web app requests an access token using client ID & client secret
  5. SF grants the access token
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the HTTP operation for requesting and getting the Authorization code for a web server flow?

A

HTTP Redirect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How are scopes handled in the web server flow?

A

Scopes can be passed as an additional parameter - otherwise the flow uses what is defined in the connected app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the endpoint for the authorize call in a web server flow?

A

https://login.salesforce.com/services/oauth2/authorize

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How is the authorization code granted in a web server flow?

A

Redirects to the callback URL with code = xyz

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How long lived is the authorization code in a web server flow?

A

15 minutes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can you persist state in the authorization flow?

A

Yes - the state parameter is passed back if included in the initial authorization request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the key parameters in the authorization code request call of a web server flow?

A

client_id

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the HTTP operation to request an access token in the web server flow?

A

POST to services/oauth2/token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the grant type to request an access token in the web server flow?

A

grant_type=authorization_code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the key parameters in the authorization code request call of a web server flow?

A

code, client_id, client_secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When should you use the User-Agent flow

A

You have a client side mobile/browser application that cannot secure the client secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the response type in the authorization code request call of a web server flow?

A

code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the response type in the authorization code request call of a user agent flow?

A

token or token id_token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the key parameters in the authorization code request call of a user agent flow?

A

client_id

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Can the user agent flow issue a refresh token?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are some of the characteristics of the JWT Bearer token flow?

A
  1. Used for Server to Server calls
  2. Does not issue a Refresh token
  3. Does not pass the client secret
  4. Can’t specify scopes
19
Q

How are scopes handled with JWT Bearer token flow?

A
  1. All users may self-authorize: scopes are derived from prior approvals
  2. Admin approved users are pre-authorized: scopes linked to connected app are returned with access token
  3. Allowlist connected apps in org: scopes linked to connected app are returned with access token
20
Q

How do you construct a JWT token?

A
  1. Base64URLEncode(JWT Header) + “.” + Base64URLEncode(JWT Claims)
  2. Sign (1) with SHA256 with RSA
  3. Chain (1) + “.” + (2)
21
Q

What is the HTTP operation to request an access token in the JWT Bearer flow?

A

POST to services/oauth2/token

22
Q

What is the grant type in JWT Bearer flow?

A

jwt-bearer

23
Q

What is the token type set to when SF returns the access token in the JWT Bearer flow?

A

Bearer

24
Q

What is the header set to when accessing protected data in the JWT Bearer flow?

A

Authorization: Bearer

25
Q

When should you use the Device Authentication flow?

A

When you want to allow access to Salesforce for an application that runs on a device with limited input capabilities

26
Q

What is the HTTP Operation for a device requesting authorization in the Device Authentication flow?

A

HTTP Post to /services/oauth2/token

27
Q

What is the response type sent to Salesforce in the authorization call in a Device Authentication flow?

A

response_type=device_code

28
Q

Do we need client secret in the Device Authentication flow?

A

No only client_id is required

29
Q

What does SF return after the initial authorization call in the Device Authentication flow?

A

device_code, user_code, verification_uri, interval

30
Q

Describe the sequence of activities in the Device Authentication flow?

A
  1. Device requests authorization
  2. SF returns a verification code as well as the verification URL
  3. Client app on device instructs user to visit verification URL on computer or mobile and enter verification code
  4. In the mean time, the app is polling the token endpoint to check if the user has logged in and the access token is available
  5. If the user logs in and grants access, SF posts the access token
31
Q

Describe some of the common scopes in use in OAuth?

A 
api (access and manage data)
custom_permissions
id (synonymous with profile, email, address, phone)
openid
full
refresh_token
web
32
Q

When would you need to use custom scopes?

A

If protected resource is external, e.g. SF is authorization service but the actual resource is Order information from the ERP

33
Q

What are tokens used for?

A

Authorise access to protected resources

34
Q

Describe the authorization code?

A

Short lived token that can be used to get an access token or optionally a refresh token

35
Q

Describe the access token?

A

Has a longer lifetime than authorization code, usually minutes or hours.
On expiry, client must get a new one using either refresh token or a new authorization flow

36
Q

Describe the refresh token?

A

Can be used repeatedly to get new access tokens

37
Q

Describe the ID token?

A

Signed data structure that contains authenticated user attributes

38
Q

When can you request the ID token?

A

In the User Agent and Web Server flows

39
Q

How is the ID token requested in the Web Server flow?

A

response_type: code
scope: openid

40
Q

How is the ID token requested in the User Agent flow?

A

response_type: token id_token
scope: openid
nonce

41
Q

What are the 3 ways to revoke a token?

A
  1. POST to /services/oauth2/revoke
  2. GET on https://login.salesforce.com/services/oauth2/revoke?token=currenttokenID
  3. JSONP
42
Q

What is token introspection?

A

Allows OAuth connected apps to check the state of an access or refresh token

43
Q

What are the 2 ways of sending client ID and secret for a token introspection call?

A

In the header or body

44
Q

What is the HTTP operation for a token introspection?

A

HTTP POST to /services/oauth2/introspect

Identity & Access Management (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions