Join us as we look into OAuth 2.0 to help us study for the Identity and Access Management Designer certification exam. Episode 1 covers the principles of OAuth 2.0

1. STUDY GROUP 1I1:
OAUTH 2.0 (PART 1)
CHARLY PRINSLOO

2. charlyprinsloo charly.prinsloo
Next Planned Cert: Mobile Designer
My deadline for CTA: April 2018
I can help others with:
• Data
• Identity and Access Management
Salesforcing since: 2005
I work for a: Partner
App Architect: Yes
System Architect: Yes
Superbadges: 1
I Love: Solving problems
Charly Prinsloo

3. FEBRUARY CHAMPIONS
Susan Linck
Platform App Builder
Tami Lau
Data Architecture & Management Designer
Application Architect
Charly Prinsloo
Field Service Lightning
Consultant

4. AGENDA
W h e n ?
W h y ?
• Salesforce Flows
• Setting up Oauth 2.0 in salesforce
• How do I choose?
• Know your flows
• Components
• The Roles
• Tokens
• Scopes & Consents
• Flows & Grants
• Where does it fit in?
• Identity Standards & Protocol
• What is Oauth 2.0?
• Why Oauth 2.0?
W h o ?
W h a t ?
Session 2

5. WHERE DOES OAUTH 2.0 FIT IN?
IDENTITY MANAGEMENT
CONCEPTS
34%
ACCEPTING 3RD PARTY
IDENTITY IN SALESFORCE
21%
SALESFORCE AS AN
IDENTITY PROVIDER
18%
ACCESS MANAGEMENT
BEST PRACTICES
12%
SALESFORCE IDENTITY
8%
COMMUNITY (PARTNER
AND CUSTOMER), 7%
IDENTITY AND ACCESS MANAGEMENT
The Salesforce Certified Identity and Access
Management Designer candidate has the
experience, skills, knowledge, and ability to
explain high-level concepts and flows of
OAuth.
Given a scenario, troubleshoot common
points of failure that may be encountered in
a single sign-on solution (SAML, OAuth, etc.).
Given a scenario, determine the most
appropriate flow type to recommend when
implementing an OAuth solution where
Salesforce is providing identity to a 3rd party
(E.g. User Agent, Web Server, JWT, etc.)
Describe the various implementation
concepts of OAuth (E.g. scopes, secrets,
tokens, refresh tokens, token expiration,
token revocation, etc.)
W h a t?

6. IDENTITY STANDARDS AND PROTOCOLS
Hard to believe that you can keep your users’ identities secure when they don’t have to sign
in to external websites or apps? How can so many companies’ products, even competing
products, work together?
The answer: industry standards and protocols for identity and access management. That
might sound intimidating, but it doesn’t have to be. A standard is just a set of widely agreed-
upon practices that industry members follow. A standard can include a protocol that
specifies how systems exchange information.
Here are the three protocols that Salesforce and other identity vendors follow to implement
identity solutions.
• SAML
• OAuth 2.0
• OpenID Connect
W h a t?

7. WHAT IS OAUTH 2.0?
OAuth 2.0 is an open authorization
protocol/framework that enables an application to
obtain secure, limited access and data sharing to a
HTTP service.
Open Authorization
OAuth 2.0 is a complete rewrite of OAuth 1.0 from the ground up, sharing
only overall goals and general user experience. OAuth 2.0 is not
backwards compatible with OAuth 1.0 or 1.1, and should be thought of as
a completely new protocol.
the function of
specifying access rights
to resource
A set of rules
governing the
exchange or
transmission of
data between
devices.
Web, desktop,
mobile
Secure, limited
Http service
OAuth is not an API or a service OAuth 2.0 is not an authentication protocol.
W h a t?

8. WHY OAUTH 2.0
• Before OAuth, sites would prompt you to enter your username and password directly into a
form and they would login to your data (e.g. your Gmail account) as you.  direct
authentication pattern
• Federated identity was created for single sign-on (SSO), and SAML 2.0 was launched in 2005,
and it made sense.
• Single Page Applications (SPAs), mobile phones, TVs, gaming consoles and IoT devices with
AJAX (background HTTP calls) to APIs  delegated authorization framework for REST/APIs
W h a t?

9. OAUTH 2.0 COMPONENTS
• Roles (the Actors)
• Tokens
• Scopes and Consent
• Grants in Flows
H o w ?

10. THE ROLES
a.k.a token issuer (DMV
or Passport Office)
Authorization
Server
Resource Owner
a.k.a the End User/Yourself
Client
a.k.a the
application
• An entity capable of granting access
to a protected resource. When the
resource owner is a person, it is
referred to as an end-user.
• resource owner owns the data in the
resource server.
• Example, I’m the Resource Owner of
my Facebook profile.
• The server hosting the protected resources,
including user accounts,
• Capable of accepting and responding to
protected resource requests using access
tokens.
• Example: Google hosting your profile and
personal information.
• API server
a.k.a. the API server
Resource Server
API
• The application that wants to access
your data or the user's account,
requesting access to a resource server
• An application making protected
resource requests on behalf of the
resource owner and with its
authorization.
• The term "client" does not imply any
particular implementation
characteristics (e.g., whether the
application executes on a server, a
desktop, or other devices).
AUTH
• The main engine of Oauth
• The server issuing access tokens to the client
after successfully authenticating the resource
owner and obtaining authorization.
This token will be used for the client to
request the resource server.
• This server can be the same as the
authorization server (same physical server
and same application), and it is often the
case.
H o w ?

11. TOKENS & ENDPOINTS
• Access Token
• Refresh Token
• The two main endpoints are the authorize endpoint and the token endpoint.
H o w ?
AUTH
authorize
endpoint
token
endpoint
Authorization
Grant
Refresh Token
Access Token
https://login.salesforce.c
om/services/oauth2/auth
orize
https://login.salesforce.c
om/services/oauth2/toke
n

12. SCOPES AND CONSENT
AUTH
=
=
API&
Scopes
to
Allow
Scopes
to Deny
Total Scope
available
from RS
H o w ?

13. GRANTS
• Authorization Code Grant
• Implicit Grant
• Resource Owner Password Credentials Grant
• Client Credentials Grant

14. AUTHORIZATION CODE GRANT
When it should be used?
It should be used as soon as the
client is a web server. It allows
you to obtain a long-lived
access token since it can be
renewed with a refresh token (if
the authorization server enables
it).
What is good about it?
This is the ideal scenario and
the safer one because the
access token is not passed on
the client side

15. IMPLICIT GRANT
When it should be used?
It is typically used when the
client is running in a browser
using a scripting language such
as Javascript. This grant type
does not allow the issuance of a
refresh token.
What is good about it?
Not much… This type of
authorization should only be
used if no other type of
authorization is available. It is
the least secure because the
access token is exposed on the
client side.

16. RESOURCE OWNER PASSWORD CREDENTIALS GRANT
When it should be used?
It is mainly used when the client has
been developed by the same authority
as the authorization server. For
example, a website named
example.com seeking access to
protected resources of its own
subdomain api.example.com. The user
would not be surprised to type his
login/password on the site
example.com since his account was
created on it.

17. CLIENT CREDENTIALS GRANT
When it should be used?
This type of authorization is
used when the client is himself
the resource owner. There is no
authorization to obtain from the
end-user.
What is good about it?
The end-user does not have to
give its authorization for
accessing the resource server.

18. GRANTS AT A GLANCE
Authorization
Grant type
Authorization
Code
The Assertion Framework for OAuth 2.0 Client
Authentication and Authorization Grants
Implicit
Resource Owner
Password Credentials
Client Credentials
Salesforce OAuth
2.0 Flows
Web Server JWT Token
SAML Bearer
Assertion
SAML Assertion User Agent
UserName and
Password
Summary
The gold standard,
most commonly
used -it is
optimized for
server-side
aka 3 Legged
Tokens are sent
directly from the
Authorization
Server to the
Client app,
providing a high
level of security.
JSON Web Token
(JWT) is a JSON-
based security
token encoding
that enables
identity and
security
information to be
shared across
security domains.
A SAML assertion is
an XML security
token issued by an
identity provider and
consumed by a
service provider.
The service provider
relies on its content
to identify the
assertion’s subject
for security-related
purposes.
The SAML assertion
flow is an alternative
for orgs that are
currently using
SAML to access
Salesforce and want
to access the web
services API the
same way.
You don’t have to
create a connected
app to use this
assertion flow.
All communication is
happening through
the browser
The authorization
server returns an
access token.
The access token is
given to the user-
agent to forward to
the application
It is mainly used when
the client has been
developed by the same
authority as the
authorization server.
This type of
authorization is
used when the
client is himself
the resource
owner. There is
no authorization
to obtain from
the end-user.
Refresh Token
Provides a Refresh
Token to get a
new Access token
No
A refresh token is
never issued in this
flow.
A refresh token is
never issued in this
flow.
It typically does not
support refresh
tokens.
A refresh token is never
issued in this flow.
A refresh token is
never issued in
this flow.
Drawbacks
• N/A, It’s the most
secure flow
because you can
authenticate the
client to redeem
the authorization
grant, and tokens
are never passed
through a user-
agent.
Only when SAML
SSO is implemented
You can use the
SAML assertion flow
only inside a single
org.
should only be used
if no other type is
available.
the least secure
the most vulnerable
to security threats.
Use this authentication
flow only when
necessary. No refresh
token is issued.
H o w ?

19. No
SO HOW DO I CHOOSE THE RIGHT GRANT?
Is the Client
the Resource
Owner?
Is the Client a
Web App
executing on
the server?
Ye
s
No
Ye
s
Username
Password Flow
(Client Credentials
Grant)
Web Server
Flow
(Authorization Code
Grant)
Is the Client
absolutely
trusted with
user
credentials?
Ye
s
Username
Password Flow
(Resource Owner
Password Credentials
Grant)
No
Is the Client a
native app or a
SPA?
Nativ
e app
Web Server
Flow
(Authorization Code
Grant)
SPA
User-Agent
Flow
(Implicit Grant)

20. QUESTIONS?

21. RESOURCES
• Read the Oauth specs
• RFC 6749 - The OAuth 2.0 Authorization Framework
• RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
• OAuth Site
• https://developers.google.com/oauthplayground/
• Attend the next study group – Oauth 2.0 and Salesforce

22. THANK YOU.
Join our Trailblazer Community group – don’t forget to fill out your personal
profile!
Post your exam successes into the group
If you tweet, use #LadiesBeArchitects & tag @ArchLadies
Run a study group for us
Speak at one of our Inspire meet-ups
Blog / talk about us