authentication with oauth and connected apps

27
Authentication with OAuth and Connected Apps Best Practice API Authentication Chuck Mortimore, salesforce.com, Sr. Director of Product Management @cmort

Upload: salesforce-developers

Post on 18-Nov-2014

1.971 views

Category:

Documents


6 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Authentication with OAuth and Connected Apps

Authentication with OAuth and

Connected Apps

Best Practice API Authentication

Chuck Mortimore, salesforce.com, Sr. Director of Product Management

@cmort

Page 2: Authentication with OAuth and Connected Apps

Safe Harbor

Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties

materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results

expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be

deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other

financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any

statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new

functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our

operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of

intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we

operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new

releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization

and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of

salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This

documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of

our Web site.

Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently

available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based

upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-

looking statements.

Page 3: Authentication with OAuth and Connected Apps

Why OAuth?

Open: A standard protocol that enables secure API access

Simple: No need to write UI or handle SSO/2-Factor/etc.

Mobile: Mobile Policies, No API Tokens, IP Bypass, etc.

Secure: Gets rid of passwords in Apps. Strong crypto options

Page 4: Authentication with OAuth and Connected Apps

The World’s Simplest

OAuth Client

Page 5: Authentication with OAuth and Connected Apps

Step 1: Register your App

Page 7: Authentication with OAuth and Connected Apps

Step 3: Exchange the Code

curl -d

'grant_type=authorization_code&client_id=CLIENT_ID&clie

nt_secret=CLIENT_SECRET&redirect_uri=YOUR_URL_E

NCODED_REDIRECT_URI&authorization_code=CODE'

https://login.salesforce.com/services/oauth2/token

Page 8: Authentication with OAuth and Connected Apps

Step 4: You’re Done - Use your token!

GET /resource HTTP/1.1

Host: na1.salesforce.com

Authorization: Bearer czZCaGRSa3F0MzpnWDFmQm….

curl -L -H 'Authorization: Bearer ACCESS_TOKEN' -H "X-

PrettyPrint: true" RESOURCE

Page 9: Authentication with OAuth and Connected Apps

Let’s Build a Web App

Page 10: Authentication with OAuth and Connected Apps

Code Flow: How does it work?

1) App Redirects User to

Authorization Services where

User is Authenticated and

Authorizes App

2) Code Returned to App

3) App Exchanges Code at Token

Service

Page 11: Authentication with OAuth and Connected Apps

Let’s Build a Web App

https://github.com/cmortimore/df12web

Page 12: Authentication with OAuth and Connected Apps

Let’s Build a Mobile App

Page 13: Authentication with OAuth and Connected Apps

Token Flow How does it work?

1) App Redirects User to

Authorization Services where

User is Authenticated and

Authorizes App

2) Token Response returned

directly to app on URL behind a

# fragment

Page 14: Authentication with OAuth and Connected Apps

What happens on Mobile?

1) Device opens a browser with

authorization URL

1) Tokens returned on URL behind

# fragment – instrumented

browser is monitoring and

parses URL

Page 15: Authentication with OAuth and Connected Apps

What the User Sees:

Authentication Authorization

Page 16: Authentication with OAuth and Connected Apps

Codified Best Practice: Mobile SDK & Container

NATIVE HYBRID WEB

OAuth2.0 Standard authentication

implementation providing single

sign-on for trusted apps

Secure Storage Securely store credentials and

business sensitive data with

enterprise-class reliability and

security

Mobile Login User experience, processes and

policy control optimized for the

mobile environment

Page 17: Authentication with OAuth and Connected Apps

http://developer.force.com/mobilesdk

Page 18: Authentication with OAuth and Connected Apps

Let’s build a Web App

https://github.com/cmortimore/df12mobile

Page 19: Authentication with OAuth and Connected Apps

Notice SSO works! Refresh Tokens

It’s a lot like a password

Allows you to get more sessions

Make sure you treat it like one!

POST /services/oauth2/token HTTP/1.1

Host: login.salesforce.com

Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token

&refresh_token=5Aep8615VRsd_GrUz3LAcJl

&client_id=MyApp

&redirect_uri=myapp%3A%2F%2Fcallback

Page 20: Authentication with OAuth and Connected Apps

Let’s Build an Integration App

Page 21: Authentication with OAuth and Connected Apps

What if I just want to call server to server

Uid / Password Flow

- Simple, but uses passwords, API tokens, etc.

Web SSO Assertion Flow

- Reuse SAML SSO and existing Trust

SAML/JWT Assertion Flow

- Cert and Trust Specific to the App

Page 22: Authentication with OAuth and Connected Apps

Let’s Build a Web App

https://github.com/cmortimore/df12integration

Page 23: Authentication with OAuth and Connected Apps

Enterprise Class Authorization

with Connected Apps

Page 24: Authentication with OAuth and Connected Apps

Admin Authorization for OAuth Apps

1) Admin “installs” app

2) App Uses any OAuth Flow

3) User Authorization is evaluated

via Admin settings

Page 25: Authentication with OAuth and Connected Apps

Final Thoughts

No one likes plumbing….use a toolkit

Make your login URLs configurable

login.salesforce.com, test.salesforce.com, other

Protect against attacks

Set a cookie, and check for it on response

Page 26: Authentication with OAuth and Connected Apps

Chuck Mortimore

@cmort

Page 27: Authentication with OAuth and Connected Apps