简体繁体 English

使用Google作为身份提供商使用Salesforce进行Api身份验证

[英]Api Authentication with Salesforce using Google as an Identity Provider

原文 2019-02-22 16:10:25 1 1 authentication/ oauth-2.0/ salesforce/ google-oauth2/ api-authorization

I'm a bit new to the authentication/authorization landscape and need some advice on how to architect/implement an application that will ultimately be connecting to Salesforce and retrieving information. 我对身份验证/授权环境有些陌生，并且需要一些有关如何架构/实现最终将连接到Salesforce并检索信息的应用程序的建议。 At a very high-level, I'm building a mobile app that will need to pull Salesforce related data to display to the user. 从高度上讲，我正在构建一个移动应用程序，它将需要提取与Salesforce相关的数据以显示给用户。 Their specific Salesforce instance uses Google as the identity provider. 他们的特定Salesforce实例使用Google作为身份提供者。 Also, we are planning to put a gateway in place to orchestrate all communication with Salesforce and potentially do some response aggregation. 另外，我们计划放置一个网关来协调与Salesforce的所有通信，并可能进行一些响应汇总。 We're also planning on using Cognito to handle the identity management. 我们还计划使用Cognito处理身份管理。 My specific questions are: 我的具体问题是：

Will I be authenticating through the Salesforce auth endpoints? 我将通过Salesforce身份验证端点进行身份验证吗？ If Salesforce is ultimately using Google as an identity provider, wouldn't it make sense to retrieve that token directly from Salesforce itself? 如果Salesforce最终将Google用作身份提供者，那么直接从Salesforce本身检索该令牌是否有意义？
1. Will I need to register the mobile app as an application as well within Salesforce or Google? 我是否需要在Salesforce或Google中将移动应用程序注册为应用程序？ I understand that Salesforce itself needs registered within Google to allow for using Google as an identity provider in Salesforce, but does it make sense to register both? 我了解Salesforce本身需要在Google中进行注册才能允许将Google用作Salesforce中的身份提供者，但是同时注册两者是否有意义？
2. There is currently no need to restrict resource access, as any user that can log in can see everything. 当前无需限制资源访问，因为任何可以登录的用户都可以看到所有内容。 Will that effect the implementation at all? 这会完全影响实施吗？ Essentially, if a user can log into Salesforce with their Google creds (aka they have a user mapped), then they should be able to see anything. 本质上，如果用户可以使用其Google凭据（也就是已经映射了用户）登录到Salesforce，那么他们应该可以看到任何内容。

I'm sure that I'm asking some naive quesitons, and really don't know where to start. 我确定我要问一些幼稚的问题，而且真的不知道从哪里开始。 I've recently build an Api for Salesforce Connect's use using Azure as an identity provider and that was fairly straightforward, though that was machine-to-machine and much simpler. 我最近使用Azure作为身份提供程序来构建供Salesforce Connect使用的Api，这相当简单，尽管这是机器对机器并且简单得多。 Any help at all would be greatly appreciated. 任何帮助将不胜感激。 Thank you. 谢谢。

1 个解决方案

It has been a while... not sure you still have an issue. 已经有一段时间了...不确定您还有问题。

Assuming salesforce is configured to use Google for auth/as an Auth Provider : you have to have your app auth to salesforce , and salesforce will automatically redirect the user to auth to Google (or ensure there is an existing valid Google user session, and let you access salesforce ). 假设将salesforce配置为使用Google进行身份验证/作为身份Auth Provider ：您必须将应用程序auth授予salesforce ，并且salesforce会自动将用户重定向到auth进行Google身份验证（或确保存在现有的有效Google用户会话，并让您可以访问salesforce ）。 Google with issue a token to salesforce , and salesforce will issue its own token to your app. Google向salesforce发行令牌，而salesforce将向您的应用程序发行自己的令牌。