How does OAuth work in the force.com platform.
This presentation is my attempt to explain to non developers the most important pieces of information on OAuth, and how they can use the features of the force.com platform to manage applications that are connecting to their org using OAuth.
3. Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties
materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or
implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-
looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any
statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning
new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality
for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results
and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated
with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating
history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful
customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers.
Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form
10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others
containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available
and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions
based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-
looking statements.
10. Token?
A Set of Characters
Sometimes referred to as a “hash”
200911381f7899d2482ab61fe8d15684469b17fc690b6a114a72b1e9d432e808
A randomly generated set of characters based on an
encryption algorithm based on another set of characters
(usually referred to as a key)
Secure
Unique to user
14. Admin Control Over OAuth
Setup > Users > Manage Users
– OAuth Connected Applications
Setup > Administer > Connected Apps
– Authorize or restrict access to OAuth Apps
Setup > Administer > Connected Apps OAuth Usage
– What apps are connecting to your org?
Everything we show today will be current product, but this is a reminder to please make your purchasing decisions based on the product we have today, not on any forward-looking statements we may make.
OAuth is fundamental to what we do at salesforce.com, the services we offer, and the trust that our customers expect of us.
Slide for fun. Fun sometimes helps people remember…but this is optional.
There is a lot of information out there on OAuth. The community and protocol are maintained at the URL above (oauth.net). Client-stored passwords are dangerous. I’ll make that point in a couple of slides.
I created this slide to help people understand that OAuth is being used every day, all the time, to help people establish secure connections between accounts. Animation script: You want to connect two applications like Meetup and FacebookOn Meetup.com’s site you visit your user profile social media settingsYou click the tickbox next to facebook to establish a connection to facebook from meetup. And you are presented the login page from facebook.comNotice the URL is now coming from facebook.com, meaning you are not providing your credentials to meetup, but rather to facebookOnce facebook establishes your identity you are given a screen to confirm you want to allow meetup to access your facebook informationMeetup updates with your information, presenting you with an option to revoke access at some point in the future.
Chatty wants to access salesforce from his mobile device. He connects to his non-OAuth secured mobile applicationEnters in his very secure user id and passwordIt gets stored on the deviceHe can now access salesforceBut what happens when his password expires? He can’t access salesforce anymoreOr worse, he loses his phoneNow someone who finds his phone might not only access salesforce, but if the person finding the phone can compromise the user id and password, they might gain access to other critical business systemsNow Chatty is unhappy
OAuth takes the credentials off the phoneNow Chatty is accessing salesforce using his OAuth enabled app like Salesforce1Chatty accesses the appA request to salesforce occurs to sign onSalesforce serves up its authentication page to the app (think the facebook example)The user provides a user id and password to salesforce and if authenticated salesforce delivers two tokens to the mobile appThese tokens are referred to as an access token and a refresh tokenNote that the keys would need to be stored in a secure encrypted location for this to be secure, but this is the typical pattern.
The word token can sometimes confuse people.Maybe this slide helps, maybe it doesn’t.
Now Chatty is using tokens. The access token is short lived and directly linked to the user session.When he tries to access the appThe stored access token will be used to verify his identity. In lieu of the userid and password, the token grants him accessAt some point the session will expire. In this case the access token will be invalid
When the access token is invalid, a different process occursChatty attempts access to salesforce1. Given the access token is invalid, the refresh token is usedIf verified, the refresh token will generate a new user session and access token, serving the access token back to be securely stored in the mobile device.
Users have control over their OAuth tokens! Every user should learn how to control which connected apps will get to access their salesforce.com account.
Admins have control over their orgs. Admins can: Control the OAuth tokens of their usersRestrict or Authorize use of OAuth enabled applications, using Profiles and Permissions sets. Audit which OAuth apps are already connecting to their salesforce org.