Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OAuth & OpenID Connect in Action
Chuck Mortimore
VP, Product Management
Salesforce Identity
@cmort
a quick demo client
the world’s simplest client
1) Register an App
2) Get your Metadata
3) Create (initialize) your Client
4) Use your Tokens
1) Register an App
2) Get your Metadata
https://login.salesforce.com/.well-known/openid-configuration
2) Get your Metadata
{
"issuer": "https://login.salesforce.com",
"authorization_endpoint": "https://login.salesforce.com/s...
3) Create your Client
https://login.salesforce.com/services/oauth2/authorize?
response_type=code&redirect_uri=https%3A%2F
...
4) Use your access_token
curl -H "Authorization: Bearer ..." https://login.salesforce.com/
services/oauth2/userprofile
so what can we do with
all this plumbing?
social sign-on
1) Register an App
2) Get your Metadata
https://accounts.google.com/.well-known/openid-configuration
3) Initialize your client software
4) Just-in-Time Provisioning
faster, simpler, better federation
1) Register an App
2) Get your Metadata
https://gold.pinglabs.net:9031/.well-known/openid-configuration
3) Initialize your client software
4) Map Users
5) Access APIs!
enterprise mobile apps
Let’s build this App
Refresh Tokens provide “SSO”
Let’s Layer in Federation
Let’s add Enterprise Policies
How about Two Factor Authentication
Bonus: Custom Claims
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
Upcoming SlideShare
Loading in …5
×

CIS14: OAuth and OpenID Connect in Action

578 views

Published on

Chuck Mortimore, Salesforcce.com
Setup and walk-through of live demos, demonstrating interop of various providers and showing real enterprise use-cases.

Published in: Technology
  • Be the first to comment

CIS14: OAuth and OpenID Connect in Action

  1. 1. OAuth & OpenID Connect in Action Chuck Mortimore VP, Product Management Salesforce Identity @cmort
  2. 2. a quick demo client
  3. 3. the world’s simplest client
  4. 4. 1) Register an App 2) Get your Metadata 3) Create (initialize) your Client 4) Use your Tokens
  5. 5. 1) Register an App
  6. 6. 2) Get your Metadata https://login.salesforce.com/.well-known/openid-configuration
  7. 7. 2) Get your Metadata { "issuer": "https://login.salesforce.com", "authorization_endpoint": "https://login.salesforce.com/services/oauth2/authorize", "token_endpoint": "https://login.salesforce.com/services/oauth2/token", "revocation_endpoint": "https://login.salesforce.com/services/oauth2/revoke", "userinfo_endpoint": "https://login.salesforce.com/services/oauth2/userinfo", "jwks_uri": "https://login.salesforce.com/id/keys", "scopes_supported": ["id", "api", "web", "full", "chatter_api", "visualforce", "refresh_token", "openid"], "response_types_supported": ["code", "token", "token id_token"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "display_values_supported": ["page", "popup", "touch"], "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt"] }
  8. 8. 3) Create your Client https://login.salesforce.com/services/oauth2/authorize? response_type=code&redirect_uri=https%3A%2F %2Flocalhost&client_id=… curl -H 'Content-Type: application/x-www-form-urlencoded' -d "client_id=...&client_secret=...&redirect_uri=https%3A%2F %2Flocalhost&grant_type=authorization_code&code=..." https:// login.salesforce.com/services/oauth2/token …and validate your id_token
  9. 9. 4) Use your access_token curl -H "Authorization: Bearer ..." https://login.salesforce.com/ services/oauth2/userprofile
  10. 10. so what can we do with all this plumbing?
  11. 11. social sign-on
  12. 12. 1) Register an App
  13. 13. 2) Get your Metadata https://accounts.google.com/.well-known/openid-configuration
  14. 14. 3) Initialize your client software
  15. 15. 4) Just-in-Time Provisioning
  16. 16. faster, simpler, better federation
  17. 17. 1) Register an App
  18. 18. 2) Get your Metadata https://gold.pinglabs.net:9031/.well-known/openid-configuration
  19. 19. 3) Initialize your client software
  20. 20. 4) Map Users
  21. 21. 5) Access APIs!
  22. 22. enterprise mobile apps
  23. 23. Let’s build this App
  24. 24. Refresh Tokens provide “SSO”
  25. 25. Let’s Layer in Federation
  26. 26. Let’s add Enterprise Policies
  27. 27. How about Two Factor Authentication
  28. 28. Bonus: Custom Claims

×