REST API & AuthenticationDevelopers
Chuck Mortimore: salesforce.comAlex Toussaint: salesforce.comSanjay Gidwani :salesforce.com
Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year ended January 31, 2010. This documents and others are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Alex Toussaint
salesforce.com
Agenda
Shift in Cloud Computing
Force.com API Family
REST API
OAuth2
Demos– Rest Explorer
– Android Client
– HTML5/Ipad
Q & A
Fundamental Shift in Cloud Computing
Collaboration . Real-time . MobileLow Cost . Fast . Easy-to-use
SOAP API– Most popular API in use today
– SOAP based services
– Synchronous
Bulk API– Ideal for very large data sets
– REST based services
– Asynchronous
REST API (Pilot for Winter ‘11 Release)– Brand new API suitable for Web 2.0 projects, mobile devices, HTML5
– REST based services
– Synchronous
– Pilot launch with over 1000 developers
The Force.com API
What is REST?
The term Representational State Transfer was introduced and
defined in 2000 by Roy Fielding in his doctoral dissertation:– http://www.ics.uci.edu/~taylor/documents/2002-REST-TOIT.pdf
Representational State Transfer (REST) is a style of software
architecture for distributed hypermedia systems such as the World
Wide Web
Simplify how developers can build applications and services to
work over the web
Can you translate that to English for me?
– What is a resource?
Leverage HTTP– Each resource in the Force.com REST API is a named URI that is used with an
HTTP method such as: HEAD, GET, POST, PATCH, or DELETE.
Stateless– Each request from client to server must contain all the information necessary to
understand the request, and not use any stored context on the server
Caching Behavior– Responses are labeled as cacheable or non-cacheable
Uniform interface– All resources are accessed with a generic interface over HTTP
Named resources– All resources are named using a base URI that follows Salesforce URI
Characteristics
Authentication – the Force.com REST API supports OAuth 2.0
– and our standard ways to get SID
Support XML and JSON– You can use the HTTP ACCEPT header to select either JSON or XML to be
returned, or append .json or .xml to the URI, for example
– /Account/001D000000INjVe.json
JSON Format– The JavaScript Object Notation ( JSON) format is supported with UTF-8, with
date-time information in ISO8601 format.
XML Format– XML requests are supported in UTF-8 and UTF-16
– and XML responses are provided in UTF-8
Characteristics
HTTP Method + Resource + Authorization – curl http://na1.salesforce.com/services/data/v20.0/sobjects/Account/ -H
"Authorization: OAuth token" -H "X-PrettyPrint:1”
– curl http://na1.salesforce.com/services/data/v20.0/sobjects/attachment/
001D000000INjVe/body -H "Authorization: OAuth token" -H "X-PrettyPrint:1”
– curl http://na1.salesforce.com/services/data/v20.0/query/?
q=SELECT+name+from+Account-H "Authorization: OAuth token" -H "X-
PrettyPrint:1”
An HTTP ACCEPT header used to indicate the resource format
(XML or JSON), or a .json or .xml extension
Any JSON or XML files for requests, such as updating a record
with new information
Anatomy of REST API call
Chuck Mortimore
salesforce.com
What is OAuth?
An open protocol to allow secure API access in a simple
and standard method from desktop and web
applications
A Delegated Authentication and Authorization protocol
Standardization of common, successful API patterns
Simple
Why OAuth
Stop the password anti-pattern– Reduce the security and management issues with passwords
Explicit grant of permission by user or admin– Allows trust management at massive scale
Credential is per-service-provider– Revokable without changing password
Browser based authentication for rich clients– Make it possible to participate in SSO
Introducing OAuth 2
Looking to correct/improve issues with 1.0
Based on OAuth WRAP
Actively being defined in IETF WG– Salesforce, Google, Microsoft, Facebook, Twitter, Yahoo, and lots of others
Initial implementations from MSFT, Google, Twitter, Facebook, 37 signals, Github….and Salesforce
Very simple programming model
Defined flows for a wide set of clients
Several example libraries available
Oauth ( “Remote Access” ) at Salesforce.com
2 types of Remote Access clients– Managed Package can “connect” to any org
– Non-Package limited to a single org
– We also have a global whitelist for approved clients
Support for both 1.0a and 2.0 ( IETF draft 10 ) – Focus is on 2.0 going forward
Flows
Web Server Flow– Web servers can protect secrets. Code returned to callback
URL and exchanged for a token via a POST
User Agent Flow– Used for Javascript, Mobile, and Desktop. Token returned
directly to callback URL behind # fragment
User Name / Password Flow– Used for simple server to server integration use-cases
Assertion Flow– Exchange a SAML Assertion for a token. Reuse your web sso
infrastructure for the API
Using a Token
Token Response:– XML or JSON
– access_token: an API only SID
– refresh_token: a token you can use to get new access_tokens
– Instance_url: the user’s instance
– id: a url that is both a unique id for the user and a getUserInfo
Using it with the API– REST: HTTP Header: “Authorization: OAuth <access_token>”
– SOAP: place access token in SOAP header like a SID
New Identity URL Service
Based upon OpenID Connect Proposal
Return a central identity url– https://login.salesforce.com/id/{orgid}/{userid}
Basic profile information similar to GetUserInfo
Chatter Status and photos
Discovery service for API endpoints
Configuring a Client
Setup/Administration/Create/Remote Access
Alex Toussaint
salesforce.com
Applications running on a Browser or Mobile device– Simpler syntax, small foot print
– Leverage HTTP standards
– Front end, client based integrations
Web 2.0 type projects– Commonly associated with web applications that facilitate interactive
information sharing, interoperability, user-centered design, and collaboration
– User interacting with system, getting data chunks at a time
Enterprise projects where WSDL contract not required– The detailed data typing provided WSDL is not required
– JSON formatted results
– HTTP are your method calls
When to use REST?
Demos!
salesforce.com
REST API & Authentication
1. Register for Developer Account– http://developer.force.com/
2. Get REST API enabled in your Org– https://www.developerforce.com/events/rest_developer_preview/registration.php
3. Get a copy of our REST API documentation– http://boards.developerforce.com/t5/REST-API-Integration/bd-p/integration
4. Get involved in the REST Discussion Groups– http://boards.developerforce.com/t5/REST-API-Integration/bd-p/integration
5. Come meet us at CloudStock 2010– http://www.cloudstockevent.com/?d=70130000000FWtI
6. Come meet us at Dream Force 2010– http://www.salesforce.com/dreamforce/DF10/home/
7. Survey– http://bit.ly/RESTAPI6am
Next Steps
OAuth 2 at Salesforce Information
New features– iPhone/Android and Popup login pages
– API only tokens for improved security
Authorization Service – For end-user authentication and authorization
– https://login.salesforce.com/services/oauth2/authorize
Token Service– For back-end communication and exchange of tokens
– https://login.salesforce.com/services/oauth2/token
Terminology– access_token = SID
– refresh_token can be exchanged for access_token
{
"user_type":"STANDARD",
"urls":{
"custom_domain":"https://identityorg.my.salesforce.com",
"enterprise":"https://identityorg.my.salesforce.com/services/Soap/c/20.0/00DD0000000FH8l",
"partner":"https://identityorg.my.salesforce.com/services/Soap/u/20.0/00DD0000000FH8l",
"REST":"https://identityorg.my.salesforce.com/coming/soon",
"profile":"https://identityorg.my.salesforce.com/005D0000001Az1u",
"metadata":"https://identityorg.my.salesforce.com/services/Soap/m/20.0/00DD0000000FH8l"
},
"locale":"en_US",
"asserted_user":true,
"id":"https://login.salesforce.com/id/00DD0000000FH8l/005D0000001Az1u",
"nick_name":"demouser",
"photos":"http://comingsoon.salesforce.com/photosoon",
"display_name":"Demo User",
"email":"[email protected]",
"organization_id":"00DD0000000FH8l",
"active":true,
"utcOffset":-28800000,
"user_id":"005D0000001Az1u",
"language":"en_US"
}
D I S C O V E R
Visit the Developer Training and Support Booth in Force.com Zone
Discover
Developer
Learning Paths
Developer training, certification and support resources
S U C C E S SFind us in the Partner Demo Area of
Force.com Zone 2nd Floor Moscone West
that help you achieve
Learn about Developer
Certifications
Remember. . .
Check Chatter for additional session information
Get your developer Workbooks and Cheat Sheets in
the Force.com Zone
Visit for more information related
to this topicDon’t forget the survey!
How Could Dreamforce Be Better? Tell Us!
Log in to the Dreamforce app to submit
surveys for the sessions you attendedUse the
Dreamforce Mobile app to submit
surveysEvery session survey you submit is
a chance to win an iPod nano!
OR