REST API & AuthenticationDevelopers

Chuck Mortimore: salesforce.comAlex Toussaint: salesforce.comSanjay Gidwani :salesforce.com

Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.

Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Alex Toussaint

salesforce.com

Agenda

Shift in Cloud Computing

Force.com API Family

REST API

OAuth2

Demos– Rest Explorer

– Android Client

– HTML5/Ipad

Q & A

Fundamental Shift in Cloud Computing

Collaboration . Real-time . MobileLow Cost . Fast . Easy-to-use

SOAP API– Most popular API in use today

– SOAP based services

– Synchronous

Bulk API– Ideal for very large data sets

– REST based services

– Asynchronous

REST API (Pilot for Winter ‘11 Release)– Brand new API suitable for Web 2.0 projects, mobile devices, HTML5

– REST based services

– Synchronous

– Pilot launch with over 1000 developers

The Force.com API

What is REST?

The term Representational State Transfer was introduced and

defined in 2000 by Roy Fielding in his doctoral dissertation:– http://www.ics.uci.edu/~taylor/documents/2002-REST-TOIT.pdf

Representational State Transfer (REST) is a style of software

architecture for distributed hypermedia systems such as the World

Wide Web

Simplify how developers can build applications and services to

work over the web

Can you translate that to English for me?

– What is a resource?

Leverage HTTP– Each resource in the Force.com REST API is a named URI that is used with an

HTTP method such as: HEAD, GET, POST, PATCH, or DELETE.

Stateless– Each request from client to server must contain all the information necessary to

understand the request, and not use any stored context on the server

Caching Behavior– Responses are labeled as cacheable or non-cacheable

Uniform interface– All resources are accessed with a generic interface over HTTP

Named resources– All resources are named using a base URI that follows Salesforce URI

Characteristics

Authentication – the Force.com REST API supports OAuth 2.0

– and our standard ways to get SID

Support XML and JSON– You can use the HTTP ACCEPT header to select either JSON or XML to be

returned, or append .json or .xml to the URI, for example

– /Account/001D000000INjVe.json

JSON Format– The JavaScript Object Notation ( JSON) format is supported with UTF-8, with

date-time information in ISO8601 format.

XML Format– XML requests are supported in UTF-8 and UTF-16

– and XML responses are provided in UTF-8

Characteristics

HTTP Method + Resource + Authorization – curl http://na1.salesforce.com/services/data/v20.0/sobjects/Account/ -H

"Authorization: OAuth token" -H "X-PrettyPrint:1”

– curl http://na1.salesforce.com/services/data/v20.0/sobjects/attachment/

001D000000INjVe/body -H "Authorization: OAuth token" -H "X-PrettyPrint:1”

– curl http://na1.salesforce.com/services/data/v20.0/query/?

q=SELECT+name+from+Account-H "Authorization: OAuth token" -H "X-

PrettyPrint:1”

An HTTP ACCEPT header used to indicate the resource format

(XML or JSON), or a .json or .xml extension

Any JSON or XML files for requests, such as updating a record

with new information

Anatomy of REST API call

Chuck Mortimore

salesforce.com

What is OAuth?

An open protocol to allow secure API access in a simple

and standard method from desktop and web

applications

A Delegated Authentication and Authorization protocol

Standardization of common, successful API patterns

Simple

Why OAuth

Stop the password anti-pattern– Reduce the security and management issues with passwords

Explicit grant of permission by user or admin– Allows trust management at massive scale

Credential is per-service-provider– Revokable without changing password

Browser based authentication for rich clients– Make it possible to participate in SSO

Introducing OAuth 2

Looking to correct/improve issues with 1.0

Based on OAuth WRAP

Actively being defined in IETF WG– Salesforce, Google, Microsoft, Facebook, Twitter, Yahoo, and lots of others

Initial implementations from MSFT, Google, Twitter, Facebook, 37 signals, Github….and Salesforce

Very simple programming model

Defined flows for a wide set of clients

Several example libraries available

Oauth ( “Remote Access” ) at Salesforce.com

2 types of Remote Access clients– Managed Package can “connect” to any org

– Non-Package limited to a single org

– We also have a global whitelist for approved clients

Support for both 1.0a and 2.0 ( IETF draft 10 ) – Focus is on 2.0 going forward

Flows

Web Server Flow– Web servers can protect secrets. Code returned to callback

URL and exchanged for a token via a POST

User Agent Flow– Used for Javascript, Mobile, and Desktop. Token returned

directly to callback URL behind # fragment

User Name / Password Flow– Used for simple server to server integration use-cases

Assertion Flow– Exchange a SAML Assertion for a token. Reuse your web sso

infrastructure for the API

Using a Token

Token Response:– XML or JSON

– access_token: an API only SID

– refresh_token: a token you can use to get new access_tokens

– Instance_url: the user’s instance

– id: a url that is both a unique id for the user and a getUserInfo

Using it with the API– REST: HTTP Header: “Authorization: OAuth <access_token>”

– SOAP: place access token in SOAP header like a SID

New Identity URL Service

Based upon OpenID Connect Proposal

Return a central identity url– https://login.salesforce.com/id/{orgid}/{userid}

Basic profile information similar to GetUserInfo

Chatter Status and photos

Discovery service for API endpoints

Configuring a Client

Setup/Administration/Create/Remote Access

Alex Toussaint

salesforce.com

Applications running on a Browser or Mobile device– Simpler syntax, small foot print

– Leverage HTTP standards

– Front end, client based integrations

Web 2.0 type projects– Commonly associated with web applications that facilitate interactive

information sharing, interoperability, user-centered design, and collaboration

– User interacting with system, getting data chunks at a time

Enterprise projects where WSDL contract not required– The detailed data typing provided WSDL is not required

– JSON formatted results

– HTTP are your method calls

When to use REST?

Demos!

salesforce.com

REST API & Authentication

1. Register for Developer Account– http://developer.force.com/

2. Get REST API enabled in your Org– https://www.developerforce.com/events/rest_developer_preview/registration.php

3. Get a copy of our REST API documentation– http://boards.developerforce.com/t5/REST-API-Integration/bd-p/integration

4. Get involved in the REST Discussion Groups– http://boards.developerforce.com/t5/REST-API-Integration/bd-p/integration

5. Come meet us at CloudStock 2010– http://www.cloudstockevent.com/?d=70130000000FWtI

6. Come meet us at Dream Force 2010– http://www.salesforce.com/dreamforce/DF10/home/

7. Survey– http://bit.ly/RESTAPI6am

Next Steps

OAuth 2 at Salesforce Information

New features– iPhone/Android and Popup login pages

– API only tokens for improved security

Authorization Service – For end-user authentication and authorization

– https://login.salesforce.com/services/oauth2/authorize

Token Service– For back-end communication and exchange of tokens

– https://login.salesforce.com/services/oauth2/token

Terminology– access_token = SID

– refresh_token can be exchanged for access_token

{

"user_type":"STANDARD",

"urls":{

"custom_domain":"https://identityorg.my.salesforce.com",

"enterprise":"https://identityorg.my.salesforce.com/services/Soap/c/20.0/00DD0000000FH8l",

"partner":"https://identityorg.my.salesforce.com/services/Soap/u/20.0/00DD0000000FH8l",

"REST":"https://identityorg.my.salesforce.com/coming/soon",

"profile":"https://identityorg.my.salesforce.com/005D0000001Az1u",

"metadata":"https://identityorg.my.salesforce.com/services/Soap/m/20.0/00DD0000000FH8l"

},

"locale":"en_US",

"asserted_user":true,

"id":"https://login.salesforce.com/id/00DD0000000FH8l/005D0000001Az1u",

"nick_name":"demouser",

"photos":"http://comingsoon.salesforce.com/photosoon",

"display_name":"Demo User",

"email":"cmortimore@salesforce.com",

"organization_id":"00DD0000000FH8l",

"active":true,

"utcOffset":-28800000,

"user_id":"005D0000001Az1u",

"language":"en_US"

}

D I S C O V E R

Visit the Developer Training and Support Booth in Force.com Zone

Discover

Developer

Learning Paths

Developer training, certification and support resources

S U C C E S SFind us in the Partner Demo Area of

Force.com Zone 2nd Floor Moscone West

that help you achieve

Learn about Developer

Certifications

Remember. . .

Check Chatter for additional session information

Get your developer Workbooks and Cheat Sheets in

the Force.com Zone

Visit for more information related

to this topicDon’t forget the survey!

How Could Dreamforce Be Better? Tell Us!

Log in to the Dreamforce app to submit

surveys for the sessions you attendedUse the

Dreamforce Mobile app to submit

surveysEvery session survey you submit is

a chance to win an iPod nano!

OR