OAuth

Question 1

When should you use the Web Server flow?

Answer 1

When the server hosting the web app is able to protect the connected app’s identity - defined by client ID and client secret

Question 2

What are the end to end steps in the Web server flow?

Answer 2

1. Request an authorization code using client ID
2. User authenticates and authorises access
3. SF grants authorization code
4. Web app requests an access token using client ID & client secret
5. SF grants the access token

Question 3

What is the HTTP operation for requesting and getting the Authorization code for a web server flow?

Answer 3

HTTP Redirect

Question 4

How are scopes handled in the web server flow?

Answer 4

Scopes can be passed as an additional parameter - otherwise the flow uses what is defined in the connected app

Question 5

What is the endpoint for the authorize call in a web server flow?

Answer 5

https://login.salesforce.com/services/oauth2/authorize

Question 6

How is the authorization code granted in a web server flow?

Answer 6

Redirects to the callback URL with code = xyz

Question 7

How long lived is the authorization code in a web server flow?

Answer 7

15 minutes

Question 8

Can you persist state in the authorization flow?

Answer 8

Yes - the state parameter is passed back if included in the initial authorization request

Question 9

What are the key parameters in the authorization code request call of a web server flow?

Answer 9

client_id

Question 10

What is the HTTP operation to request an access token in the web server flow?

Answer 10

POST to services/oauth2/token

Question 11

What is the grant type to request an access token in the web server flow?

Answer 11

grant_type=authorization_code

Question 12

What are the key parameters in the authorization code request call of a web server flow?

Answer 12

code, client_id, client_secret

Question 13

When should you use the User-Agent flow

Answer 13

You have a client side mobile/browser application that cannot secure the client secret

Question 14

What is the response type in the authorization code request call of a web server flow?

Answer 14

code

Question 15

What is the response type in the authorization code request call of a user agent flow?

Answer 15

token or token id_token

Question 16

What are the key parameters in the authorization code request call of a user agent flow?

Answer 16

client_id

Question 17

Can the user agent flow issue a refresh token?

Answer 17

Yes

Question 18

What are some of the characteristics of the JWT Bearer token flow?

Answer 18

1. Used for Server to Server calls
2. Does not issue a Refresh token
3. Does not pass the client secret
4. Can’t specify scopes

Question 19

How are scopes handled with JWT Bearer token flow?

Answer 19

1. All users may self-authorize: scopes are derived from prior approvals
2. Admin approved users are pre-authorized: scopes linked to connected app are returned with access token
3. Allowlist connected apps in org: scopes linked to connected app are returned with access token

Question 20

How do you construct a JWT token?

Answer 20

1. Base64URLEncode(JWT Header) + “.” + Base64URLEncode(JWT Claims)
2. Sign (1) with SHA256 with RSA
3. Chain (1) + “.” + (2)

Question 21

What is the HTTP operation to request an access token in the JWT Bearer flow?

Answer 21

POST to services/oauth2/token

Question 22

What is the grant type in JWT Bearer flow?

Answer 22

jwt-bearer

Question 23

What is the token type set to when SF returns the access token in the JWT Bearer flow?

Answer 23

Bearer

Question 24

What is the header set to when accessing protected data in the JWT Bearer flow?

Answer 24

Authorization: Bearer

Question 25

When should you use the Device Authentication flow?

Answer 25

When you want to allow access to Salesforce for an application that runs on a device with limited input capabilities

Question 26

What is the HTTP Operation for a device requesting authorization in the Device Authentication flow?

Answer 26

HTTP Post to /services/oauth2/token

Question 27

What is the response type sent to Salesforce in the authorization call in a Device Authentication flow?

Answer 27

response_type=device_code

Question 28

Do we need client secret in the Device Authentication flow?

Answer 28

No only client_id is required

Question 29

What does SF return after the initial authorization call in the Device Authentication flow?

Answer 29

device_code, user_code, verification_uri, interval

Question 30

Describe the sequence of activities in the Device Authentication flow?

Answer 30

1. Device requests authorization 2. SF returns a verification code as well as the verification URL 3. Client app on device instructs user to visit verification URL on computer or mobile and enter verification code 4. In the mean time, the app is polling the token endpoint to check if the user has logged in and the access token is available 5. If the user logs in and grants access, SF posts the access token

Question 31

Describe some of the common scopes in use in OAuth?

Answer 31

``` api (access and manage data) custom_permissions id (synonymous with profile, email, address, phone) openid full refresh_token web ```

Question 32

When would you need to use custom scopes?

Answer 32

If protected resource is external, e.g. SF is authorization service but the actual resource is Order information from the ERP

Question 33

What are tokens used for?

Answer 33

Authorise access to protected resources

Question 34

Describe the authorization code?

Answer 34

Short lived token that can be used to get an access token or optionally a refresh token

Question 35

Describe the access token?

Answer 35

Has a longer lifetime than authorization code, usually minutes or hours. On expiry, client must get a new one using either refresh token or a new authorization flow

Question 36

Describe the refresh token?

Answer 36

Can be used repeatedly to get new access tokens

Question 37

Describe the ID token?

Answer 37

Signed data structure that contains authenticated user attributes

Question 38

When can you request the ID token?

Answer 38

In the User Agent and Web Server flows

Question 39

How is the ID token requested in the Web Server flow?

Answer 39

response_type: code scope: openid

Question 40

How is the ID token requested in the User Agent flow?

Answer 40

response_type: token id_token scope: openid nonce

Question 41

What are the 3 ways to revoke a token?

Answer 41

1. POST to /services/oauth2/revoke 2. GET on https://login.salesforce.com/services/oauth2/revoke?token=currenttokenID 3. JSONP

Question 42

What is token introspection?

Answer 42

Allows OAuth connected apps to check the state of an access or refresh token

Question 43

What are the 2 ways of sending client ID and secret for a token introspection call?

Answer 43

In the header or body

Question 44

What is the HTTP operation for a token introspection?

Answer 44

HTTP POST to /services/oauth2/introspect