OpenID Connect/Social Sign On/Authentication Provider Flashcards
Describe the OpenID Connect flow?
- User requests a service from a client application
- The client app redirects the user to the Authorization Server
- The user authenticates and authorizes the client
- The Authorization Server redirects the user to the client application with an Authorization code
- The client app requests token with the Authorization code
- The Authorization server returns an access and id token
- ID token can be used to request user info
What is pre-requisite for an OpenID Connect flow?
openid scope needs to be selected
What is the name of the parameter that you receive in an OpenID token flow describing User ID properties?
id_token
When would you use a Dynamic Client Registration?
When Salesforce plays the role of a client management provider for an API Gateway
What setting do you use when setting up the Connected App for the API Gateway in a Dynamic Client Registration scenario?
Initial Access Token for Dynamic Client Registration section → Generate
What endpoint can the API Gateway use to check for the validity of an access token before using it?
Introspection endpoint, usually at https://hostname/services/oauth2/introspect
What is the terminology used for Authentication Providers / OpenID connect?
Relying party (RP) / Client - The party requesting the authentication access Authorization Server / OpenID Provider (OP) / Third party - the authentication provider
What capability does an External Authentication Provider provide?
External authentication provider lets users log in to Salesforce using their login credentials from a third-party service.
Provide SSO & OAuth based API access to SF.
What are the 4 types of Authentication Providers that are supported on Salesforce?
- Salesforce Managed Authentication Providers
- Custom implementation of these managed authentication providers (e.g. FB)
- Other authentication providers that support OpenID Connect
- Other authentication providers that don’t support OpenID Connect, but use OAuth - use Auth.AuthProviderPluginClass abstract class
What are the fields that need to be left empty if using the Salesforce Managed Authentication Providers?
- Consumer Key
- Consumer Secret
- Authorize Endpoint URL
- Token Endpoint URL
- User Info Endpoint URL
What does the registration handler class do in the Authentication Provider setup?
- Create the User in SF the first time the user signs up
2. Update the User in SF subsequently
What is the URL you get when you have configured an Authentication Provider to test the connection?
Test-Only Initialization URL.
It redirects you to the authentication provider and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.
What are the Salesforce Managed Authentication Providers?
Apple, FB, Google, Janrain, LinkedIn, Microsoft, Twitter
What are the URL’s that are generated once an Authentication Provider has been created?
- Test-Only Initialization URL
- Single Sign-On Initialization URL
- Existing User Linking URL
- OAuth-Only Initialization URL
- Callback URL
What are some of the request parameters that are available when setting up Authentication Providers?
- provAuthorizeEndpointHost
- community
- expid
- prompt
- scope
- site
