Integration – Authentication (OAuth & Named Credentials) Questions

Authentication is a critical aspect of integration that ensures secure communication between Salesforce and external systems. These questions cover Connected Apps, OAuth 2.0 flows, Named Credentials, JWT Bearer flow, and best practices for implementing secure authentication mechanisms. Understanding these concepts is essential for building robust and secure integration solutions that protect sensitive data and comply with security standards.

Authentication (OAuth & Named Credentials) - Q&A

  1. Q1. What is a Connected App in Salesforce?
    Ans: A Connected App: - Allows external applications to integrate with Salesforce securely - Defines OAuth settings (callback URL, scopes) - Can enforce IP restrictions and policies - Created via Setup → App Manager → New Connected App
  2. Q2. What are Remote Site Settings?
    Ans: Configuration that: - Allows callouts to external domains from Apex - Required for non-Named Credential integrations - Defined in Setup → Security → Remote Site Settings - Must specify protocol (HTTP/HTTPS) and domain
  3. Q3. What is OAuth 2.0 and why use it?
    Ans: OAuth 2.0 is an authorization framework that: - Allows limited access to user data without sharing credentials - Uses access tokens instead of passwords - Supports multiple flows (Web Server, JWT, Device) - Provides secure delegated access
  4. Q4. What are the OAuth 2.0 flows supported in Salesforce?
    Ans: Four main flows: 1. Authorization Code (for web apps) 2. JWT Bearer (server-to-server) 3. Username-Password (trusted apps only) 4. Device (for limited-input devices)
  5. Q5. How do you configure a Connected App?
    Ans: Essential settings: - Contact Email - Callback URL - Selected OAuth Scopes (api, refresh_token, etc.) - IP Relaxation (Enforce/Relax restrictions) - Digital Certificate (for JWT flow)
  6. Q6. What are Named Credentials?
    Ans: Secure storage for authentication details that: - Encrypt credentials - Handle authentication protocols - Simplify callouts (no hardcoded credentials) - Support OAuth, Basic Auth, and AWS SigV4
  7. Q7. How do you configure a Named Credential?
    Ans: Setup steps: 1. Go to Setup → Named Credentials 2. Click "New Named Credential" 3. Enter: - Label (e.g., "My_API_Service") - URL (e.g., "https://api.example.com") - Identity Type (Named Principal/Per User) - Authentication Protocol (OAuth 2.0, Password, etc.) 4. Save
  8. Q8. What's the difference between Named Principal and Per User in Named Credentials?
    Ans: Key differences: - Named Principal: Single shared identity for all users - Per User: Each user authenticates individually - Per User requires additional OAuth configuration
  9. Q9. How do you implement OAuth in Apex?
    Ans: Authorization Code flow example: 
    public class OAuthHandler {
  public static String getAccessToken(String code) {
    HttpRequest req = new HttpRequest();
    req.setEndpoint('https://login.salesforce.com/services/oauth2/token');
    req.setMethod('POST');
    req.setBody('grant_type=authorization_code' +
      '&client_id=' + clientId +
      '&client_secret=' + clientSecret +
      '&redirect_uri=' + EncodingUtil.urlEncode(callbackUrl, 'UTF-8') +
      '&code=' + code);

    HttpResponse res = new Http().send(req);
    return (String)JSON.deserializeUntyped(res.getBody()).get('access_token');
  }
}
  10. Q10. How do you use Named Credentials in Apex?
    Ans: Callout example: 
    HttpRequest req = new HttpRequest();
req.setEndpoint('callout:My_Named_Credential/api/users');
req.setMethod('GET');
HttpResponse res = new Http().send(req);
  11. Q11. What is the JWT Bearer flow and when to use it?
    Ans: Server-to-server flow that: - Uses digitally signed JWT instead of user credentials - Ideal for batch processes/integrations - Requires connected app with certificate Implementation: 
    public class JWTBearerFlow {
  public static String getAccessToken() {
    String jwt = generateJWT();
    HttpRequest req = new HttpRequest();
    req.setBody('grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=' + jwt);
    // Send request to token endpoint
  }
}
  12. Q12. How do you refresh OAuth tokens?
    Ans: Using refresh token: 
    public static String refreshToken(String refreshToken) {
  HttpRequest req = new HttpRequest();
  req.setBody('grant_type=refresh_token' +
    '&client_id=' + clientId +
    '&client_secret=' + clientSecret +
    '&refresh_token=' + refreshToken);
  // Send to token endpoint
}
  13. Q13. How do you implement mutual TLS (mTLS)?
    Ans: Steps for Named Credential: 1. Upload client certificate in Certificate and Key Management 2. Create Named Credential with: - Authentication Protocol: "Mutual TLS" - Certificate: Select uploaded cert 3. Use in callouts (automatically applies certificate)
  14. Q14. How do you test OAuth integrations?
    Ans: Mocking strategy: 
    @isTest
private class OAuthTest {
  @isTest
  static void testTokenRequest() {
    Test.setMock(HttpCalloutMock.class, new MockTokenResponse());
    Test.startTest();
    String token = OAuthHandler.getAccessToken('testcode');
    Test.stopTest();
    System.assertEquals('mock_token', token);
  }

  class MockTokenResponse implements HttpCalloutMock {
    public HttpResponse respond(HttpRequest req) {
      HttpResponse res = new HttpResponse();
      res.setBody('{"access_token":"mock_token"}');
      return res;
    }
  }
}
  15. Q15. What are common authentication errors?
    Ans: Frequent issues: - "Remote Site Settings not configured" (add domain) - "Unauthorized endpoint" (check Named Credential) - "Invalid session ID" (expired OAuth token) - "Certificate not found" (verify upload)
  16. Q16. Practical Example: Salesforce to External System
    Ans: Step-by-Step OAuth Integration: 1. Create Connected App in external system 2. Configure callback URL in Salesforce 3. Implement authorization flow: 
    // 1. Redirect user to auth endpoint
String authUrl = 'https://auth.example.com/authorize?' +
  'response_type=code' +
  '&client_id=' + clientId +
  '&redirect_uri=' + EncodingUtil.urlEncode(callbackUrl, 'UTF-8');

// 2. Handle callback to get code
// 3. Exchange code for tokens (Q9 example)
  17. Q17. Practical Example: External System to Salesforce
    Ans: Step-by-Step JWT Flow: 1. Create Connected App in Salesforce with certificate 2. Generate JWT in external system 3. Authenticate: 
    public static void authenticateToSalesforce() {
  String jwt = generateJWT(); // Signed with private key
  HttpRequest req = new HttpRequest();
  req.setEndpoint('https://login.salesforce.com/services/oauth2/token');
  req.setBody('grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' +
    '&assertion=' + jwt);
  // Send request and parse access token
}

Back to Integration Home