OAuth
OAuth (Open Authorization) is an authorization framework that allows third-party applications to securely access Salesforce resources on behalf of a user without sharing their credentials.
It enables users to grant limited access to their Salesforce data to external applications which enhances security and the user experience.
Components of OAuth
Grant Types
Authorization Code Grant
Used for server-side applications where the application exchanges an authorization code for an access token.
Implicit Grant
Used for client-side applications, where the access token is returned directly without an authorization code.
Resource Owner Password Credentials Grant
Used for applications where the user’s credentials are directly provided to the application.
Client Credentials Grant
Used for machine-to-machine communication, where an application accesses resources without user context.
Access Tokens
After Authorization the application receives an access token which can be used to make authenticated requests to Salesforce APIs. Access tokens have a limited lifespan and may need to be refreshed.
Scope
Scopes define the level of access that the application is requesting i.e, an application might request access to read and write data or only to read data.
Connected Apps
A Connected App is needed to enable OAuth authentication. This includes defining the OAuth settings such as callback URLs, scopes, and policies.
What is the Benefit?
Integration with Third-Party Applications
Allow external applications like apps or webservices to access Salesforce data securely.
Single Sign-On (SSO)
Enable users to log into multiple applications with a single set of credentials.
API Access
Allow developers to access Salesforce APIs securely.
Who is Impacted?
Developers
Developers will use OAuth to connect to APIs, build the connected Apps and ensure secure connections when working across external applications.
End Users
End Users will see a streamlined login process and the ability to greater control access to their programs by approving or revoking security requests.
Security/Compliance
Security and Compliance teams will ensure OAuth implementations comply with organizational security policies and best practices to protect sensitive data.