Use Cases
- Access Data with API Integration
- For requesting access, app must be integrated with Salesforce API using OAuth 2.0 protocol
- OAuth enables authentication, authorization, and secure data sharing between applications through the exchange of tokens.
- Developers and ISVs use OAuth authorization flows to integrate their app with Salesforce API.
- Integrate Service Providers (SP) with Salesforce Org
- When Salesforce acts as IDP connected app can be used to integrate service provider with Salesforce Org.
- Connected app with SAML 2.0 can be used to integrate a Service Provider with Salesforce Org. Salesforce supports SAML SSO when the SP or the IDP initiates the flow.
- Connected app with OpenID Connect can be used to integrate SP with Salesforce org. For this the SP must accept OpenID Connect tokens.
- Manage access to Third-Party Apps
- Admins can set Security policies to control what data a third-party app can access from Org. Admins can also define who can use the third-party app.
- Admins can select “Admin approved users are pre-authorized” for the connected app and assign specific user profiles to the app.
- Apart from managing third-party apps, admins can uninstall, block these apps from Salesforce Org.
- Provide Authorization for External API Gateways
- Salesforce can act as an independent OAuth authorization server to protect resources hosted on an external API gateway.
- Using OpenID Connect dynamic client registration, resource servers can dynamically create client apps as connected apps in Salesforce. Salesforce can then authorize these connected apps to access protected resources hosted by the third-party service.
Connected App and OAuth Terminology
- Access Token
- Instead of using the user’s Salesforce credentials, a consumer (connected app) can use an access token to gain access to protected resources on behalf of the user.
- For OAuth 1.0.A, the access token must be exchanged for a session ID.
- For OAuth 2.0, the access token is a session ID and can be used directly.
- Authorization Code
- Only used in OAuth 2.0 with the web server flow, the authorization code is a token that represents the access granted by the end user.
- The authorization code is used to obtain an access token and a refresh token.
- It expires after 15 minutes.
- For OAuth 1.0 use Request Token
- Callback URL – A callback URL is the URL that is invoked after OAuth authentication for the consumer (connected app).
- Consumer – Website or app that uses OAuth to authenticate both the Salesforce user and itself on the user’s behalf
- Consumer Key – A consumer uses a key to identity itself to Salesforce. Referred to as client_id in OAuth 2.0
- Consumer Secret – to establish ownership of the consumer key. Referred to as client_secret in OAuth 2.0
- OAuth Endpoint – URLs that are used to make OAuth authentication requests to Salesforce
- Nonce – a random number used during authentication to ensure that requests can not be reused
- OAuth – Open Authentication is a standard, token-based protocol for authentication and authorization
- Refresh Token
- Only used in OAuth 2.0.
- Can be used to request a access token without having end user to approve access
- Request Token
- Only used in OAuth 1.0 A
- can be used to obtain authorization code from end user.
- It exchanges token for an access token
- Token Secret – Consumer uses this secret to establish ownership of a given token both for request and access token
- User – An individual having Salesforce login.
Enable OAuth Settings for API Integration
- If you’re setting up a connected app for an external application on a device with limited input or display capabilities, such as TVs, appliances, or command-line applications, select Enable for Device Flow.
- Callback URL
- Enter the callback URL (endpoint) that Salesforce calls back to your application during OAuth. It’s the same as the OAuth redirect URI.
- URL is typically the one that a user’s browser is redirected to after successful authentication.
- As this URL is used for some OAuth flows to pass an access token, it must use secure HTTPS or a custom URI scheme
- Separate multiple callback URLs with line breaks. The callback URL field has a limit of 2000 characters, cumulatively.
- If you enter several URLs and they exceed this limit, create another connected app to manage more callback URLs.
- For JWT OAuth flow, select Use Digital Signatures. If the app uses a certificate select the certificate on your system to upload for the JWT OAuth flow.
- Select OAuth Scopes to apply to the connected app.
- Select Require Secret for the Web Server Flow to require the app’s client secret in exchange for an access token.
- To authorize a single connected app to introspect all access and refresh tokens within the entire org, select Introspect all tokens. By default, all connected apps can introspect their own tokens. In addition, an OAuth client that registers child OAuth 2.0 connected apps through the dynamic client registration endpoint can check the tokens for itself and its child apps
- If OAuth request includes Allow Access to you unique identifier (openid) scope, the returned token can be an ID token.
- If setting up the app to issue asset tokens, select Enable Asset Tokens.
- To automatically log users out when they log out of Salesforce, select Enable Single Logout.
OAuth Access Policies
- From Manage connected apps click Permitted Users drop down under OAuth policies and select one of the following
- All users may self-authorize (default)
- Admin approved users are pre-authorized
- From Manage connected apps click IP Relaxation drop down and select any one of the options
- Enforce IP restrictions
- Enforce IP restrictions, but relax for refresh tokens
- Relax IP restrictions for activated devices
- Relax IP restrictions
- Enable Single Logout to automatically log users out of the connected app SP when they log out of Salesforce
- Refresh Token Policy
- Refresh token is valid until revoked
- Immediately expire refresh token
- Expire refresh token if not used for n
- Expire refresh token after n