Salesforce as an Identity Provider (23%) Flashcards
What are the 5 OAuth token types?
- Authorization code
- Initial access token
- Access token
- Refresh token
- ID token
Select which token type the description is for:
The authorization server creates this short-lived token and passes it to the client application via the browser. The client application then sends this token to the authorization server
A) Authorization code
B) Initial access token
C) Access token
D) Refresh token
E) ID token
A) Authorization code
Select which token type the description is for:
This token is generated after configuring an OAuth 2.0 connected app. Salesforce requires this token to authenticate the dynamic client registration request
A) Authorization code
B) Initial access token
C) Access token
D) Refresh token
E) ID token
B) Initial access token
Select which token type the description is for:
The client uses this token to make authenticated requests on behalf of the end user. It has a longer lifetime (usually minutes or hours). When it expires, attempts to use it fail and the app must obtain a new token.
A) Authorization code
B) Initial access token
C) Access token
D) Refresh token
E) ID token
C) Access token
Select which token type the description is for:
This token can have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked. The client application can store the token. For this reason, the app must protect a this token against unauthorized access.
A) Authorization code
B) Initial access token
C) Access token
D) Refresh token
E) ID token
D) Refresh token
Select which token type the description is for:
OpenID Connect, an authentication layer on top of OAuth 2.0, defines this token as a signed data structure. The data structure contains authenticated user attributes, including a unique identifier for the user. It also contains the time when the token was issued, and an identifier for the requesting client. This token is encoded as a JSON web token (JWT).
A) Authorization code
B) Initial access token
C) Access token
D) Refresh token
E) ID token
E) ID token
Name the 8 Authentication Flows
- Web Server
- User-Agent
- JWT Bearer Token Flow
- Device Authentication Flow
- Asset Token Flow
- SAML Bearer Assertion Flow
- SAML Assertion Flow
- Username and Password
Which authentication flow should be used for the following use case?
Apps hosted on a secure server. A critical aspect of this flow is the protection of the client secret. It uses an OAuth 2.0 authorization code grant type
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
A) Web Server
Which authentication flow should be used for the following use case?
Users can authorize a desktop or mobile application to access data using an external or embedded browser for authentication. These apps often use a scripting language, such as JavaScript, running within the browser. This flow uses the OAuth2.0 implicit grant type
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
B) User-Agent
Which authentication flow should be used for the following use case?
Server-to-server API integration. The flow uses a certificate to sign the request and doesn’t require explicit user interaction
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
C) JWT Bearer Token Flow
Which authentication flow should be used for the following use case?
Command-line apps or applications that run on devices with limited input and display capabilities, such as TVs, application and other IOT devices, can use this flow.
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
D) Device Authentication Flow
Which authentication flow should be used for the following use case?
Client applications use this flow to request a token from Salesforce for connected devices.
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
E) Asset Token Flow
Which authentication flow should be used for the following use case?
An app can reuse an existing authorization.
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
F) SAML Bearer Assertion Flow
Which authentication flow should be used for the following use case?
An alternate flow for orgs to access Salesforce in a specific way and also want to access the web services API in the same way.
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
G) SAML Assertion Flow
Which authentication flow should be used for the following use case?
Used primarily for testing when a user is not present at app startup, or with highly privileged apps.
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
H) Username and Password
H) Username and Password
What is the Identity URL?
It is a RESTful API that you can use to query user information, including the username, email address, and org ID. It also returns endpoints that the client can talk to, such as photos for profiles and accessible API endpoints
The URL is returned in the id scope parameter
Which flow does not require a connected app to be created?
A) Web Server
B) User-Agent
C) JWT Bearer Token Flow
D) Device Authentication Flow
E) Asset Token Flow
F) SAML Bearer Assertion Flow
G) SAML Assertion Flow
G) SAML Assertion Flow
What are the 7 steps for the OAuth 1.0.A Authentication Flow?
- The consumer requests an access token. Salesforce verifies the request and returns a request token.
- The consumer redirects the user to Salesforce, where the user is prompted to log in.
- Salesforce authorizes the user.
- After the user is authorized, the consumer requests an access token.
- Salesforce verifies the request and grants the token.
- After the token is granted, the consumer accesses the data either through the app or through the Lightning Platform Web Services API.
- Salesforce verifies the request and allows access to the data.
What are the 6 steps for the OAuth 2.0 SAML Bearer Assertion Flow?
- The developer creates a connected app and registers an X509 Certificate. This certificate corresponds to the private key of the app. When the connected app is saved, a consumer key (OAuth client_id) is generated and assigned to the app.
- The developer writes an app that generates a SAML assertion and signs it with the private key.
- The SAML Bearer assertion is posted to the token endpoint https://login.salesforce.com/services/oauth2/token, https://test.salesforce.com/services/oauth2/token, or https://your_community_URL/services/oauth2/token (if implementing for a community).
- The token endpoint validates the signature using the certificate registered by the developer.
- The token endpoint validates the audience, issuer, subject, and validity of the assertion.
- Assuming that the assertion is valid and that the user or admin authorized the app previously, Salesforce issues an access token.
What are the 6 general steps for the OAuth 2.0 JWT bearer token flow?
- The developer creates a connected app or uses an existing one, and registers an X509 Certificate for the app. The certificate corresponds to the private key of the app. When the connected app is saved, the consumer key (OAuth client_id) and consumer secret are generated and assigned to the app.
- The developer writes an app that generates a JWT. The JWT is signed with the X509 Certificate’s private key, and the connected app uses the certificate to verify the signature.
- The JWT is posted to the token endpoint, https://login.salesforce.com/services/oauth2/token, or if implementing for a community, https://community.force.com/customers/services/oauth2/token.
- The token endpoint validates the signature using the certificate registered by the developer.
- The token endpoint validates the JWT’s audience (aud), issuer (iss), validity (exp), and subject (sub).
- Assuming that the JWT is valid and that the user or admin authorized the app previously, Salesforce issues an access token.
What are the two steps for the refresh token authentication flow?
- The consumer uses the existing refresh token to request a new access token.
- After the request is verified, Salesforce sends a response to the client.
What are the 5 steps for the OAuth 2.0 Web Server Authentication Flow?
- The web server redirects the user to Salesforce, which authenticates and authorizes the server to access the data on the user’s behalf.
- After the user approves access, the web server receives a callback with an authorization code.
- The web server passes back the authorization code to get a token response.
- After validating the authorization code, Salesforce passes back a token response. If there’s no error, the token response includes an access code and additional information.
- After the token is granted, the web server accesses the user’s data.
What are the two steps for the OAuth2.0 Username-Password Flow (and what are two important facts you need to know about this flow?
- The consumer uses the user’s username and password to request an access token (session ID.)
- After the request is verified, Salesforce sends a response to the client.
Facts:
1. This OAuth authentication flow passes the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token is issued
- Salesforce communities don’t support the OAuth 2.0 username-password authentication flow
In the OAuth 2.0 User-Agent Flow the access token is encoded into the redirection URL, so it can be exposed to the user and other apps residing on the device. If you’re using Javascript to authenticate, what should you call to remove the callback from the browser’s history?
window.location.replace();
What are the 3 steps in the OAuth2.0 User-Agent Flow?
- The client app directs the user to Salesforce to authenticate and authorize the app.
- The user approves access for this authentication flow.
- The app receives the callback from Salesforce.
What are the 7 steps in the OAuth2.0 Device Authentication Flow?
- The device requests authorization from Salesforce.
- Salesforce verifies the request and returns the following: human-readable user code, verification URL, device code, and minimum polling interval (in seconds).
- The device displays the user code and instructs the user to enter it at the specified verification URL.
- On a separate device that has more developed input capabilities, such as a desktop computer or smartphone, the user opens a browser.
- The user navigates to the verification URL and is prompted to enter the user code.
- If the code is valid, the user is prompted to log in if not already logged in.
- After successful login, the user is prompted to allow the device to access Salesforce data. - After displaying the user code and verification URL, the device starts polling the token endpoint for authorization. Polling frequency can’t exceed the minimum polling interval. The device continues polling until the user has allowed (or been denied) access, or until the user code has expired.
- If allowed, the authorization server returns to the device an access token, a refresh token if requested, and other information.
- After the access token is granted, the device can use it in API requests to access data on the user’s behalf. The device uses a refresh token to get a new access token if the access token becomes invalid.
What are the 5 general OAuth 2.0 Asset Token Flow steps?
- Create a new connected app or use an existing one that has asset tokens enabled and required settings configured.
- Get an access token so that you can request an asset token.
- Create your asset token request.
- Create your actor token payload JWT.
- Understand how Salesforce attempts to register a new or existing Asset using information from the actor token.
- Create your actor token JWT. - Post your asset token request to the token endpoint.
- If the asset token JWT is valid, Salesforce issues your asset token in an access token response and publishes an asset token event.
What are the 4 steps for the OAuth 2.0 SAML Assertion Flow?
- Configure SAML for your org. SAML version 2.0 is required.
- Exchange a SAML assertion for an access token.
- Salesforce sends the response.
- Use a JSON parser to process the response and extract the access_token.