OAuth Authorization flows in salesforce
1. Creating Connected App and Managing Connected App usage
2. Oauth web server flow (walkthrough with postman)
3. Oauth JWT Bearer token flow (walkthrough with postman)
4. Oauth JWT Bearer token flow (apex code walkthrough to integrate one salesforce org to another using JWT bearer flow)
3. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
TABLE OF
CONTENTS
Connected App
Creating Connected App and
Managing Connected App Usage
OAuth Web Server
Flow
Demo through Postman HTTP
Client
01
03
02
04
05
OAuth JWT Bearer
Token Flow
What is JWT? Walkthrough with
Postman HTTP Client
OAuth JWT Bearer
Token Flow in Apex
Apex Code Walkthrough to
connect one salesforce org to
another using named credentials
RESOURCES
5. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
Connected App
A connected app is a framework that enables an external application to integrate with Salesforce using
APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. Connected apps use these
protocols to authenticate, authorize, and provide single sign-on (SSO) for external apps.
6. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
1. Creating Connected App
2. Managing Connected App Usage and Policies.
DEMO
8. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
OAuth Web server
flow
1. The external web service—via the connected app—posts an authorization
code request using the authorization code grant type to the Salesforce
authorization endpoint.
2. With an authorization code, the connected app can prove that it’s been
authorized as a safe visitor to the site and that it has permission to request
an access token.
9. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
1. OAuth Web server flow walkthrough with Postman
HTTP Client.
DEMO
10. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
1. https://login.salesforce.com/services/oauth2/autho
rize?client_id=xxx&redirect_uri=https://login.sale
sforce.com/oauth2/callback&response_type=code
2. Endpoint for access token:
https://login.salesforce.com/services/oauth2/token
POST /services/oauth2/token,Content-type:
application/x-www-form-
urlencoded,grant_type=authorization_code&code=from
step1(url
decoded)&client_id=xxx&client_secret=xxx&redirect_
uri=https://login.salesforce.com/oauth2/callback
Steps Involved in Web Server Flow
12. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
OAuth JWT Bearer
Token flow
1. This is used for server to server integration scenarios.
2. This flow uses a certificate to sign the JWT request and doesn’t require
explicit user interaction. However, this flow does require prior approval
of the client app. Please note this flows never issues a refresh token.
13. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
JWT Structure
Header -{"alg":"RS256"}
Payload (This contains claims information which
is an object containing information about user
and additional data.Claims are set using
parameters-"Iss,aud,sub,exp")
Signature
<headerbase64encodedurl>.<claimsbase64encodedclai
ms>.<signature(uses algorithm like RS 256)>
14. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
1. OAuth JWT Bearer Token flow walkthrough with
Postman HTTP Client.
DEMO
15. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
POST /services/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type= urn:ietf:params:oauth:grant-type:jwt-
bearer&assertion=JWT token generated in JWT.io Website
Steps to be followed in Postman
16. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
OAuth JWT Bearer
Token flow Usage in
Apex
04
17. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
1. OAuth JWT Bearer Token flow (Apex code
walkthrough to integrate one salesforce org to
another using named credentials)
DEMO
18. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
Auth.JWT jwt = new Auth.JWT();
jwt.setSub('debarunsengupta2512@live.com');
jwt.setAud('https://login.salesforce.com'); jwt.setIss('connected app client
id');Auth.JWS jws = new Auth.JWS(jwt,’Certificate keystore name’);String token =
jws.getCompactSerialization();String tokenEndpoint =
'https://login.salesforce.com/services/oauth2/token';//POST the JWT bearer token
Auth.JWTBearerTokenExchange bearer = new Auth.JWTBearerTokenExchange(tokenEndpoint,
jws);
//Get the access token
String accessToken = bearer.getAccessToken();
system.debug('Access Token-->'+accessToken);
Apex Code without Named
Credentials
19. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
String service_limits='/services/data/v48.0/sobjects/Account/listviews/';
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:JWT_Demo'+service_limits);
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());
System.debug(res.getstatuscode());
Apex Code with Named Credentials
21. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
1. https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5
2. https://jwt.io/
3. https://developer.salesforce.com/docs/atlas.en-
us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm
4. https://www.base64encode.org/
5. https://www.freeformatter.com/json-formatter.html#ad-output
6. https://www.unixtimestamp.com/
Some Useful commands to convert .crt to keystore to store in SFDC
openssl pkcs12 -export -in server.crt -inkey server.pem -out testkeystore.p12
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore servercert.jks -deststoretype JKS
keytool -keystore /<Path>/servercert.jks -changealias -alias 1 -destalias salesforcetest
22. Salesforce Developer Group Bengaluru, India - @SFDGBLR #SFDGBLR
CREDITS: This presentation template was created by Slidesgo, including
icons by Flaticon, and infographics & images by Freepik.
Please keep this slide for attribution.