OAuth 2.0

Question 1

What is OAuth?

Answer 1

OAuth (Open Authorization) is an open protocol that provides secure API authorization from applications in a simple and standardized way.

Question 2

Why is OAuth used?

Answer 2

OAuth can authorize access to resources without revealing user credentials to apps.

Question 3

What is the benefit of using OAuth with Salesforce?

Answer 3

Apps that use OAuth can also directly authenticate and access Salesforce resources without a user’s presence.

Question 4

To manage, create, edit, and delete OAuth apps:

Answer 4

Manage Connected Apps

Question 5

What Salesforce features use OAuth and why?

Answer 5

APIs, such as the Salesforce REST and SOAP web service APIs or the Chatter REST API, can use OAuth 2.0 to authorize access to Salesforce resources.

Question 6

How does OAuth work within Salesforce?

Answer 6

OAuth gives a client application restricted access to your data on a resource server. To allow access, an authorization server grants tokens to the client app in response to an authorization.

Question 7

What is considered the “Valet Key” in OAuth?

Answer 7

OAuth tokens

Question 8

What is an OAuth Authorization Code?

Answer 8

The authorization server creates this short-lived token and passes it to the client application via the browser. The client application sends the authorization code to the authorization server to obtain an access token and, optionally, a refresh token.

Question 9

What is an OAuth Initial Access token?

Answer 9

After configuring an OAuth 2.0 connected app, generate an initial access token. Salesforce requires this token to authenticate the dynamic client registration request

Question 10

What is an OAuth Access Token?

Answer 10

The client uses an access token to make authenticated requests on behalf of the end user.

Question 11

How an OAuth Refresh Token used?

Answer 11

The client application can store a refresh token, using it to periodically obtain fresh access tokens.

Like a password, a refresh token can be used repeatedly to gain access to the resource server

Question 12

What is an OAuth ID Token?

Answer 12

OpenID Connect, an authentication layer on top of OAuth 2.0, defines an ID token as a signed data structure. The data structure contains authenticated user attributes, including a unique identifier for the user. It also contains the time when the token was issued, and an identifier for the requesting client. An ID token is encoded as a JSON web token (JWT).

Question 13

How does the Access Token and the Initial Authorization Token differ?

Answer 13

The Access Token has a longer lifetime than the authorization code, usually minutes or hours.

Question 14

In Salesforce Terms, what is the Access Token?

Answer 14

In Salesforce terms, the access token is a session ID (SID), much like a session cookie on other systems.

Question 15

How is the Access Token protected?

Answer 15

by Transport Layer Security (SSL)

Question 16

What is the lifetime of a Refresh Token?

Answer 16

A refresh token can have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked.

Question 17

What considerations does the client need to care for with respect to the Refresh Token?

Answer 17

Because a refresh token can expire or a user can revoke it outside of the client, the client must handle failures to obtain an access token. Typically, the client replays the protocol from the start.

Question 18

What are the 8 OAuth flows supported by Salesforce?

Answer 18

Web Server Flow
User-Agent Flow
JWT Bearer Token Flow
Device AuthN Flow
Asset Token Flow
SAML Bearer Assertion Flow
SAML Assertion Flow
Username and Password Flow

Question 19

Describe the Username and Password Flow

Answer 19

Use it only for testing, when a user is not present at app startup, or with highly privileged apps. In these cases, set user permissions to minimize access and protect stored credentials from unauthorized access.

Question 20

Describe SAML Assertion Flow

Answer 20

This flow is an alternative for orgs that are using SAML to access Salesforce and want to access the web services API in the same way.

Question 21

Describe SAML Bearer Assertion Flow

Answer 21

An app can reuse an existing authorization by supplying a signed SAML 2.0 assertion, as specified in the SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants. A digital signature applied to the SAML assertion authenticates the authorized app.

Question 22

Describe Asset Token Flow

Answer 22

This flow combines issuing and registering asset tokens for efficient token exchange and automatic linking of devices to service cloud asset data.

Question 23

Describe Device Authentication Flow

Answer 23

Users can connect these applications to Salesforce by accessing a browser on a device with more advanced input capabilities, such as a desktop or mobile device.

Question 24

Describe JWT Bearer Token Flow

Answer 24

This flow uses a certificate to sign the JWT request and doesn’t require explicit user interaction.

Question 25

Describe User-Agent Flow

Answer 25

Users can authorize a desktop or mobile application to access data using an external or embedded browser (or user agent) for authentication.

Question 26

Describe Web Server Flow

Answer 26

Apps hosted on a secure server use the web server authentication flow.

Question 27

What is the critical Aspect of the Web Server Flow?

Answer 27

A critical aspect of the web server flow is that the server must be able to protect the client secret.

Question 28

What is the main use case of JWT Bearer Token Flow?

Answer 28

server-to-server API integration.

Question 29

What is the main use case of the Device Authentication Flow?

Answer 29

Command-line apps or applications that run on devices with limited input and display capabilities, such as TVs, appliances, and other IoT devices, can use this flow.

Question 30

What is the main use case of the Asset Token Flow?

Answer 30

Client applications use this flow to request an asset token from Salesforce for connected devices. An OAuth access token and an actor token are exchanged for an asset token.

Question 31

What are the main use cases for Username and Password Flow?

Answer 31

Because the username and password flow passes credentials back and forth, avoid using this flow. Use it only for testing, when a user is not present at app startup, or with highly privileged apps.

Question 32

How does the Web Server and User Agent Flows renew access tokens?

Answer 32

OAuth 2.0 Refresh Token Flow

Question 33

How do Web Server, Username & Password flows differ from other flows?

Answer 33

Web Server: Client must store the client secret securely.

Username/Password: Transmits credentials (thus: avoid using).

All other flows: free the application from having to manage, store and protect credentials.

Question 34

When a client app makes a successful authorization request, what’s returned to the client?

Answer 34

an identity URL along with the access token

Question 35

The identity URL is:

Answer 35

a RESTful API that can be used to query user information (username, email address and Org ID).

Question 36

What is the difference between Authentication and Authorization?

Answer 36

Authentication seeks to determine who you are.

Authorization seeks to determine what you can do.

Question 37

What is a precondition for OAuth authorization?

Answer 37

Authentication

Question 38

What actors are found within all OAuth-based interactions?

Answer 38

1. OAuth Provider (also known as OAuth server or authorization server)
2. Resource Provider (usually a set of web APIs)
3. Resource Owner (also known as user)
4. Client (usually a cloud app or mobile app)