Enjoy Basics of Authentication

Like never Before

Hello, my Name is Smriti Sharan. I am avid blogger and
youtuber. I am to aim to make learning Fun!!

Simmy: We will walk through

● Overview of Inbound Vs Outbound Integration
● What is Authentication
● Why API's need Authentication
● Authentication Vs Authorization
● Overview on type of authentication
● How to Read an API Documentation
● Demo to Fetch Yummy Food Pictures

All in a fun way, like You are 10. So, let's get started!

Simmy: We had little conversation about Callout vs Callin in the

Video ‘Let’s Have Fun With API in Salesforce’. Go Check that out.

’
Now Let’s have quick revision on that topic to go to next level in

understanding Integration.

Outbound Integration (Callout): Salesforce initiates contact

with an external system. This occurs when Salesforce sends a

request to an external system to retrieve data. this is known as a

callout. It's Salesforce reaching out to another system.For

example:

When querying a weather API for the latest forecasts

Fetching cute cat pictures from a cat API

Concepts used here are:

Named Credentials
Remote Site Settings

(Note: We will discuss details of named credential and remote site

settings in later session)

Inbound Integration (Callin): An external system initiates

contact with Salesforce. This means external system makes

request to Salesforce. For example. Skippy popsicles making

request to Salesforce.
Concept Used here are:

Connected Apps

Oauth Flows

(Note: We will discuss details of connected apps and oauth flows

in later session)
Cloudy: Now I got a fair understanding of Callout and Callin.

Simmy: Thats great, now let’s observe something interesting.

1. Cute Cat Pictures API: In this case, you simply take the URL

provided by the API and make a request.

Cat API does not require additional authentication, you can

directly access and view the cat pictures. It means there’s no

need to prove your identity to get access to cat pictures.

2. Weather API: Unlike the Cat Pictures API, the Weather API

requires an extra layer of security. It provides an API Key, which

must be included in the request header.

This key confirms your identity to the API, ensuring that only

authorized users can access the weather data.

Cloudy: Why the Difference in proving the identity?

Simmy: This is Because of ‘Authentication’. Both the API’s use

different types of authentications, basically checking your

identity before giving you access to API.

Cloudy: Oh, now what is Authentication?

Simmy: Simply put, authentication is like proving who you are. It

is like showing your id. For instance, if you are going to Disney

Theme Park, you show proof of identity to the Gatekeeper to

enter the park.

Cloudy: Why do APIs even need authentication?

Simmy: Most commercial APIs need authentication. Without it,

anyone could use the API as much as they want without

registering. This could lead to overuse or misuse of the API.

This will make it hard for the API provider to manage traffic or

generate revenue from it.

For example, consider how a restaurant delivery app like Zomato

uses Google Maps to show where the delivery driver is. If Google

Maps didn't control access with authentication, then any company

could flood their service with requests all the time.

Authentication helps keep track of

● who is using the API

● limits how often they can use it

Additionally, there wouldn’t be a way to protect against requests

from malicious users that might delete another user’s data. Think

about it, what if someone makes delete request?

Cloudy: Oh Clearly, API developers must think about ways to

authenticate who make request.

Simmy: Authentication is very tightly linked to another idea -

authorization, so let’s understand it.

Authorization is what you are allowed to do after you have

proven your identity. Like, after entering the Disney theme park,

what all rides you are allowed to take.

In summary:
Authentication: Refers to proving correct identity
Authorization: Refers to allowing a certain action

Cloudy: What are the types of authentication ?

Simmy: Let's review the 6 most used authentication methods

used today. Essentially, different systems use different methods

to confirm that users are who they claim to be.

● No Authentication
● API Key
● Basic
● Bearer
● Digest
● OAuth
and others…
(Note: We will understand all the types authentication in detail in
upcoming sessions.)

Simmy: Now, we will understand how to read an API

documentation to understand what kind of authentication it uses

and how to request it using postman

Cloudy: Before this, how do I know what type of

authentication to use?

Simmy: By reading the API documentation we get to know which

authentication we need to go for. In case of weather API, in the

API documentation it is clearly given to access the data we need

to use the API key.

Cloudy: Can I see APIs with different authentication in real

time?
Simmy: Demo Time

This github repository provides all the Api’s which don’t need any

authentication so do check it out.

For Instance, let’s check Random Pics of Food Dishes.
Step 1: Find the Base URL. Here it is https://foodish-

api.com/

Step 2: Go to Postman to Test the API

a. Put Method as Get Request as you want to retrieve request

 b. Put the Base URL to test the API

c. Click on Send

Notice Status is 200, which means that request is successful and,

in the body, you see response.

Step 3: Now Got to API Documentation to see how to fetch a

particular resource from the endpoint like food image in this case.

Notice What Kind of Authentication, if you need. Here, there is no

mention of Authentication in Documentation means you can

access resource without proving your identity.

For instance, I want to see Biryani so I will click on Biryani.
Put the URL https://foodish-api.com/images/biryani/biryani19.jpg

in the request and click on the send. In matter of seconds, you will

see image of yummy Biryani.

Cloudy: Omg, I started feeling Hungry!

Cloudy: In the very beginning we talked about Callin and

Callout. Where does Authentication fits in that picture?

Simmy: Great question! Understanding this can be a bit tricky for

beginners, so let's break it down.

When we talk about making a callout, we need to know type of

authentication the system needs to let us access the resource. It

can come in different forms, like a simple username and password

authentication, to a more secure method like an API key, or even a

more complex system like OAuth.

Don’t worry we will understand all the types of authentication in

Detail in upcoming sessions.

When discussing inbound integrations in Salesforce, it's crucial

to understand OAuth 2.0 and OpenID Connect. Salesforce utilizes

these protocols for robust authentication and authorization.

(Note: We will delve deeper into OAuth 2.0 and OpenID Connect

in upcoming sessions.)

Cloudy - If you enjoyed this document then

Feel free to connect with me on:

● LinkedIn

● Subscribe to my YouTube Channel

● Follow my Blog – sfdcAmplified

References
Easy Salesforce Integration for Beginers
Easy Salesforce Integration Using Postman For Beginners
Have Fun With API Documentation
Canva Images