Using Salesforce as an Authentication Provider

In this post we will see how Salesforce can be used as an authentication ( + authorisation) provider with OpenID connect.

But first, what exactly is OpenID connect anyway? In simple words - it is a way to perform authentication and (basic) authorisation from a trusted server using OAuth 2.0 protocol.

This is a high-level flow to implement Salesforce authentication -

  1. Create login function: create a “Login with Salesforce” button in your external application. On click, request Salesforce to authenticate and provide basic details of user
  2. Create connected app
  3. On authentication, Salesforce checks correct id/ password. If the calling application is valid and user has valid “client id” and “secret key”, Salesforce provides a JWT for the user
  4. Use the JWT and invoke yet another API to get the user profile information

1. Login Function

We could create and debug the entire flow after creating an external app that can invoke Salesforce APIs, but I am too lazy for that. Instead, we will take the “lazy developer approach”. Use the Heroku app at https://openidconnect.herokuapp.com/ for some quick testing of authentication using OpenID Connect on Salesforce.

2. Create Connected App

Go to Setup > Platform Tools > Apps > App Manager. Click New Connected App button.

  1. Provide name - GoogleAuth, and contact details
  2. Use a logo and icon
  3. Provide Callback URL as https://login.salesforce.com/oauth2/callback and http://openidconnect.herokuapp.com/
  4. Provide Selected OAuth Scopes. Allow Access to Unique Identifer (openid) is important, rest is up to you
  5. Check Configure ID Token and provide ID Token Audiences as https://login.salesforce.com (if you are doing this on a sandbox / custom URL, use the specific URL)
  6. Check Include Standard Claims

salesforce-connected-app-openid

Test your Authentication

“View” your connected app in Salesforce to get Consumer Key and Consumer Secret. Paste them in the OpenID Heroku app window.

connected-app-playground-heroku-salesforce

  1. Hit Next in the test app to authorize the client with Client Id and Client Secret
  2. An Authorized Code is returned from previous step upon successful authentication.
  3. Hit Next again to use the authorized code to establish trusted transaction with Salesfore (you “exchange” the authorization code). You will be sending a POST request to /services/oauth2/token. Note that the id_token in response is JWT - you can actually see the information in JWT “de-hashed” into ID Token text field in the Heroku app
  4. Use the token obtained in previous step to get user info. The app does this by sending a request to /services/oauth2/userinfo with Authorization set to Bearer <token>
  5. You will receive a response with user details

Note: Did you receive an error in Step (1) when you click Next? Just ensure your Callback URL includes https://openidconnect.herokuapp.com/.

That’s it. You have created and tested the entire authentication flow with Salesforce!

comments powered by Disqus