SF as IDP

Question 1

OAuth 2.0 Device Flow

Answer 1

Workflow:
1. The device displays a code and a URL for the user to access on another device (e.g., browser on a smartphone).
2. The user opens the URL, enters the code, and logs in with Salesforce credentials.
3. The device continuously polls Salesforce to check if authorization has been granted.
4. Once the user successfully logs in, the device receives an access token to interact with Salesforce.

Use Cases:
Devices with limited or no input capabilities, such as fitness bands, smart TVs, and IoT appliances needing user login via a secondary device.

Question 2

OAuth 2.0 Asset Token Flow

Answer 2

Workflow
1. The device first obtains an access token using a standard OAuth flow.
2. The device creates an actor token by generating a signed JWT with device-specific metadata.
3. The device sends a request to Salesforce to exchange the access token and actor token for an asset token.
4. Salesforce issues an asset token, which the device uses for secure communication with Salesforce APIs.

Use Cases:
Devices that need direct linking to Salesforce CRM data, such as smart appliances with IoT integration or devices tied to customer-owned Salesforce assets.

Question 3

OpenID Connect Token Introspection

Answer 3

Endpoint
https://<your_instance>.salesforce.com/services/oauth2/introspect</your_instance>

Purpose: Used to validate the state of an OAuth 2.0 token (access or refresh).

Information Retrieved:
- Whether the token is active.
- Token metadata (e.g., expiration, scopes, associated user).

Question 4

Standard Scopes in OAuth 2.0

Answer 4

1. api: Grants access to Salesforce APIs.
2. refresh_token: Allows obtaining a new access token without re-authenticating the user.
3. openid: Used for OpenID Connect to retrieve the user’s identity information.
4. id: Grants access to basic information about the user, such as their ID.
5. web: Enables interaction with the Salesforce web interface.

Question 5

Custom Scopes in OAuth 2.0

Answer 5

Custom scopes are created to define permissions for connected apps to access resources hosted by external systems. These scopes describe:

1. Which external system resources the connected app is authorized to access.
2. Specific access control requirements for external integrations.

Example: A Supply Chain Management (SCM) app uses custom scopes to define access to inventory data.

Question 6

OAuth 2.0 User-Agent Flow

Answer 6

The User-Agent Flow does not use the Client Secret for security reasons because the client application (like a mobile or web app) runs on the user’s device and the secret would be exposed.

Instead, it uses:
1. Refresh Token: To obtain new access tokens without re-authenticating the user.

2. Authorization Code: To ensure secure access delegation.

Question 7

Describe the use of the client secret in Salesforce OAuth flows (User Agent, Web Server, and PKCE).

Answer 7

User Agent Flow (Implicit Grant):
Client secret is not used because the flow is for public clients where secrets can’t be securely stored. Refresh tokens can be issued if enabled.

Web Server Flow (Authorization Code Flow):
Client secret is required during the token exchange to ensure that only authorized clients can exchange the authorization code for tokens. Designed for private, server-based clients.

Web Server Flow with PKCE:
Client secret is optional. PKCE can replace the need for a secret when used by public clients (e.g., mobile apps, SPAs). If a secret is available (e.g., in private server setups), it adds an extra layer of security.