CIS14: OAuth and OpenID Connect in Action

OAuth & OpenID Connect in ActionChuck Mortimore VP, Product Management Salesforce Identity @cmort

a quick demo client

the world’s simplest client

1) Register an App 2) Get your Metadata 3) Create (initialize) your Client 4) Use your Tokens

1) Register an App

2) Get your Metadata

https://login.salesforce.com/.well-known/openid-configuration

2) Get your Metadata { "issuer": "https://login.salesforce.com", "authorization_endpoint": "https://login.salesforce.com/services/oauth2/authorize", "token_endpoint": "https://login.salesforce.com/services/oauth2/token", "revocation_endpoint": "https://login.salesforce.com/services/oauth2/revoke", "userinfo_endpoint": "https://login.salesforce.com/services/oauth2/userinfo", "jwks_uri": "https://login.salesforce.com/id/keys", "scopes_supported": ["id", "api", "web", "full", "chatter_api", "visualforce", "refresh_token", "openid"], "response_types_supported": ["code", "token", "token id_token"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "display_values_supported": ["page", "popup", "touch"], "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt"] }

3) Create your Client

https://login.salesforce.com/services/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F

%2Flocalhost&client_id=…

curl -H 'Content-Type: application/x-www-form-urlencoded' -d "client_id=...&client_secret=...&redirect_uri=https%3A%2F

%2Flocalhost&grant_type=authorization_code&code=..." https://login.salesforce.com/services/oauth2/token

…and validate your id_token

4) Use your access_token

curl -H "Authorization: Bearer ..." https://login.salesforce.com/services/oauth2/userprofile

so what can we do with all this plumbing?

social sign-on

1) Register an App

https://accounts.google.com/.well-known/openid-configuration

3) Initialize your client software

4) Just-in-Time Provisioning

faster, simpler, better federation

1) Register an App

https://gold.pinglabs.net:9031/.well-known/openid-configuration

3) Initialize your client software

4) Map Users

5) Access APIs!

enterprise mobile apps

Let’s build this App

Refresh Tokens provide “SSO”

Let’s Layer in Federation

Let’s add Enterprise Policies

How about Two Factor Authentication

Bonus: Custom Claims

CIS14: OAuth and OpenID Connect in Action

Technology

Transcript of CIS14: OAuth and OpenID Connect in Action

Online Identity for Community Managers: OpenID, OAuth, Information Cards

Identity and Data Access: OpenID & OAuth

I/O Preso: OpenID and OAuth for Google Apps - Chrome Browser

Oracle Banking APIs OpenID Guide Banking API… · OPENID 5 OpenID Guide 5 2. OPENID OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients

Federated Shibboleth, OpenID , oAuth , and Multifactor

Bechtel On OpenID and OAuth from Cloud Identity Summit

OpenId Tech Night vol.6 OAuth

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board Member atom@yahoo-inc.com @atom.

Yahoo! OpenID and OAuth · 2010-05-03 · – No need for users to create a site‐speciﬁc userid or password ... • OAuth is needed to authorize API access – OpenID does not

OAuth 2.0 Web Messaging Response Mode - OpenID Summit Tokyo 2015

Federated Shibboleth, OpenID, oAuth, and Multifactor · 2013-04-15 · Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor

OpenID/OAuth and YQL with .NET

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

LASCON 2017: SAML v. OpenID v. Oauth

OAuth 2.0 & OpenID Connect #MA7

OAuth 2.0 and OpenId Connect

Single Sign-On Security - Hackmanit...3 History of Single Sign-On OAuth 1.0 Oct 2007 OAuth 2.0 Oct 2012 OAuth 1.0 Rev A Jun 2009 OpenID Connect 1.0 Feb 2014 OpenID 1.1 May 2006 OpenID

Hybrid Auth: OpenID + OAuth

SAML vs OAuth 2.0 vs OpenID Connect

Securing RESTful APIs using OAuth 2 and OpenID Connect