OAuth Flashcards
When should you use the Web Server flow?
When the server hosting the web app is able to protect the connected app’s identity - defined by client ID and client secret
What are the end to end steps in the Web server flow?
- Request an authorization code using client ID
- User authenticates and authorises access
- SF grants authorization code
- Web app requests an access token using client ID & client secret
- SF grants the access token
What is the HTTP operation for requesting and getting the Authorization code for a web server flow?
HTTP Redirect
How are scopes handled in the web server flow?
Scopes can be passed as an additional parameter - otherwise the flow uses what is defined in the connected app
What is the endpoint for the authorize call in a web server flow?
https://login.salesforce.com/services/oauth2/authorize
How is the authorization code granted in a web server flow?
Redirects to the callback URL with code = xyz
How long lived is the authorization code in a web server flow?
15 minutes
Can you persist state in the authorization flow?
Yes - the state parameter is passed back if included in the initial authorization request
What are the key parameters in the authorization code request call of a web server flow?
client_id
What is the HTTP operation to request an access token in the web server flow?
POST to services/oauth2/token
What is the grant type to request an access token in the web server flow?
grant_type=authorization_code
What are the key parameters in the authorization code request call of a web server flow?
code, client_id, client_secret
When should you use the User-Agent flow
You have a client side mobile/browser application that cannot secure the client secret
What is the response type in the authorization code request call of a web server flow?
code
What is the response type in the authorization code request call of a user agent flow?
token or token id_token
What are the key parameters in the authorization code request call of a user agent flow?
client_id
Can the user agent flow issue a refresh token?
Yes
What are some of the characteristics of the JWT Bearer token flow?
- Used for Server to Server calls
- Does not issue a Refresh token
- Does not pass the client secret
- Can’t specify scopes
How are scopes handled with JWT Bearer token flow?
- All users may self-authorize: scopes are derived from prior approvals
- Admin approved users are pre-authorized: scopes linked to connected app are returned with access token
- Allowlist connected apps in org: scopes linked to connected app are returned with access token
How do you construct a JWT token?
- Base64URLEncode(JWT Header) + “.” + Base64URLEncode(JWT Claims)
- Sign (1) with SHA256 with RSA
- Chain (1) + “.” + (2)
What is the HTTP operation to request an access token in the JWT Bearer flow?
POST to services/oauth2/token
What is the grant type in JWT Bearer flow?
jwt-bearer
What is the token type set to when SF returns the access token in the JWT Bearer flow?
Bearer
What is the header set to when accessing protected data in the JWT Bearer flow?
Authorization: Bearer
When should you use the Device Authentication flow?
When you want to allow access to Salesforce for an application that runs on a device with limited input capabilities
What is the HTTP Operation for a device requesting authorization in the Device Authentication flow?
HTTP Post to /services/oauth2/token
What is the response type sent to Salesforce in the authorization call in a Device Authentication flow?
response_type=device_code
Do we need client secret in the Device Authentication flow?
No only client_id is required
What does SF return after the initial authorization call in the Device Authentication flow?
device_code, user_code, verification_uri, interval
Describe the sequence of activities in the Device Authentication flow?
- Device requests authorization
- SF returns a verification code as well as the verification URL
- Client app on device instructs user to visit verification URL on computer or mobile and enter verification code
- In the mean time, the app is polling the token endpoint to check if the user has logged in and the access token is available
- If the user logs in and grants access, SF posts the access token
Describe some of the common scopes in use in OAuth?
api (access and manage data) custom_permissions id (synonymous with profile, email, address, phone) openid full refresh_token web
When would you need to use custom scopes?
If protected resource is external, e.g. SF is authorization service but the actual resource is Order information from the ERP
What are tokens used for?
Authorise access to protected resources
Describe the authorization code?
Short lived token that can be used to get an access token or optionally a refresh token
Describe the access token?
Has a longer lifetime than authorization code, usually minutes or hours.
On expiry, client must get a new one using either refresh token or a new authorization flow
Describe the refresh token?
Can be used repeatedly to get new access tokens
Describe the ID token?
Signed data structure that contains authenticated user attributes
When can you request the ID token?
In the User Agent and Web Server flows
How is the ID token requested in the Web Server flow?
response_type: code
scope: openid
How is the ID token requested in the User Agent flow?
response_type: token id_token
scope: openid
nonce
What are the 3 ways to revoke a token?
- POST to /services/oauth2/revoke
- GET on https://login.salesforce.com/services/oauth2/revoke?token=currenttokenID
- JSONP
What is token introspection?
Allows OAuth connected apps to check the state of an access or refresh token
What are the 2 ways of sending client ID and secret for a token introspection call?
In the header or body
What is the HTTP operation for a token introspection?
HTTP POST to /services/oauth2/introspect
