OAuth 2.0 Flashcards

https://help.salesforce.com/articleView?id=remoteaccess_authenticate.htm&type=0

1
Q

What is OAuth?

A

OAuth (Open Authorization) is an open protocol that provides secure API authorization from applications in a simple and standardized way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why is OAuth used?

A

OAuth can authorize access to resources without revealing user credentials to apps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the benefit of using OAuth with Salesforce?

A

Apps that use OAuth can also directly authenticate and access Salesforce resources without a user’s presence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

To manage, create, edit, and delete OAuth apps:

A

Manage Connected Apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What Salesforce features use OAuth and why?

A

APIs, such as the Salesforce REST and SOAP web service APIs or the Chatter REST API, can use OAuth 2.0 to authorize access to Salesforce resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How does OAuth work within Salesforce?

A

OAuth gives a client application restricted access to your data on a resource server. To allow access, an authorization server grants tokens to the client app in response to an authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is considered the “Valet Key” in OAuth?

A

OAuth tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an OAuth Authorization Code?

A

The authorization server creates this short-lived token and passes it to the client application via the browser. The client application sends the authorization code to the authorization server to obtain an access token and, optionally, a refresh token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an OAuth Initial Access token?

A

After configuring an OAuth 2.0 connected app, generate an initial access token. Salesforce requires this token to authenticate the dynamic client registration request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an OAuth Access Token?

A

The client uses an access token to make authenticated requests on behalf of the end user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How an OAuth Refresh Token used?

A

The client application can store a refresh token, using it to periodically obtain fresh access tokens.

Like a password, a refresh token can be used repeatedly to gain access to the resource server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an OAuth ID Token?

A

OpenID Connect, an authentication layer on top of OAuth 2.0, defines an ID token as a signed data structure. The data structure contains authenticated user attributes, including a unique identifier for the user. It also contains the time when the token was issued, and an identifier for the requesting client. An ID token is encoded as a JSON web token (JWT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does the Access Token and the Initial Authorization Token differ?

A

The Access Token has a longer lifetime than the authorization code, usually minutes or hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In Salesforce Terms, what is the Access Token?

A

In Salesforce terms, the access token is a session ID (SID), much like a session cookie on other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How is the Access Token protected?

A

by Transport Layer Security (SSL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the lifetime of a Refresh Token?

A

A refresh token can have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked.

17
Q

What considerations does the client need to care for with respect to the Refresh Token?

A

Because a refresh token can expire or a user can revoke it outside of the client, the client must handle failures to obtain an access token. Typically, the client replays the protocol from the start.

18
Q

What are the 8 OAuth flows supported by Salesforce?

A
Web Server Flow
User-Agent Flow
JWT Bearer Token Flow
Device AuthN Flow
Asset Token Flow
SAML Bearer Assertion Flow
SAML Assertion Flow
Username and Password Flow
19
Q

Describe the Username and Password Flow

A

Use it only for testing, when a user is not present at app startup, or with highly privileged apps. In these cases, set user permissions to minimize access and protect stored credentials from unauthorized access.

20
Q

Describe SAML Assertion Flow

A

This flow is an alternative for orgs that are using SAML to access Salesforce and want to access the web services API in the same way.

21
Q

Describe SAML Bearer Assertion Flow

A

An app can reuse an existing authorization by supplying a signed SAML 2.0 assertion, as specified in the SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants. A digital signature applied to the SAML assertion authenticates the authorized app.

22
Q

Describe Asset Token Flow

A

This flow combines issuing and registering asset tokens for efficient token exchange and automatic linking of devices to service cloud asset data.

23
Q

Describe Device Authentication Flow

A

Users can connect these applications to Salesforce by accessing a browser on a device with more advanced input capabilities, such as a desktop or mobile device.

24
Q

Describe JWT Bearer Token Flow

A

This flow uses a certificate to sign the JWT request and doesn’t require explicit user interaction.

25
Q

Describe User-Agent Flow

A

Users can authorize a desktop or mobile application to access data using an external or embedded browser (or user agent) for authentication.

26
Q

Describe Web Server Flow

A

Apps hosted on a secure server use the web server authentication flow.

27
Q

What is the critical Aspect of the Web Server Flow?

A

A critical aspect of the web server flow is that the server must be able to protect the client secret.

28
Q

What is the main use case of JWT Bearer Token Flow?

A

server-to-server API integration.

29
Q

What is the main use case of the Device Authentication Flow?

A

Command-line apps or applications that run on devices with limited input and display capabilities, such as TVs, appliances, and other IoT devices, can use this flow.

30
Q

What is the main use case of the Asset Token Flow?

A

Client applications use this flow to request an asset token from Salesforce for connected devices. An OAuth access token and an actor token are exchanged for an asset token.

31
Q

What are the main use cases for Username and Password Flow?

A

Because the username and password flow passes credentials back and forth, avoid using this flow. Use it only for testing, when a user is not present at app startup, or with highly privileged apps.

32
Q

How does the Web Server and User Agent Flows renew access tokens?

A

OAuth 2.0 Refresh Token Flow

33
Q

How do Web Server, Username & Password flows differ from other flows?

A

Web Server: Client must store the client secret securely.

Username/Password: Transmits credentials (thus: avoid using).

All other flows: free the application from having to manage, store and protect credentials.

34
Q

When a client app makes a successful authorization request, what’s returned to the client?

A

an identity URL along with the access token

35
Q

The identity URL is:

A

a RESTful API that can be used to query user information (username, email address and Org ID).

36
Q

What is the difference between Authentication and Authorization?

A

Authentication seeks to determine who you are.

Authorization seeks to determine what you can do.

37
Q

What is a precondition for OAuth authorization?

A

Authentication

38
Q

What actors are found within all OAuth-based interactions?

A
  1. OAuth Provider (also known as OAuth server or authorization server)
  2. Resource Provider (usually a set of web APIs)
  3. Resource Owner (also known as user)
  4. Client (usually a cloud app or mobile app)