Enjoy Basics of Authentication Like never Before
Hello, my Name is Smriti Sharan. I am avid blogger and youtuber. I am to aim to make learning Fun!!
Simmy: We will walk through
- Overview of Inbound Vs Outbound Integration
- What is Authentication
- Why API’s need Authentication
- Authentication Vs Authorization
- Overview on type of authentication
- How to Read an API Documentation
- Demo to Fetch Yummy Food Pictures
All in a fun way, like You are 10. So, let’s get started!
Simmy: We had little conversation about Callout vs Callin in the Video ‘Let’s Have Fun With API in Salesforce’. Go Check that out.
’
Now Let’s have quick revision on that topic to go to next level in understanding Integration.
Outbound Integration (Callout): Salesforce initiates contact with an external system. This occurs when Salesforce sends a request to an external system to retrieve data. this is known as a callout. It’s Salesforce reaching out to another system.For example:
When querying a weather API for the latest forecasts
Fetching cute cat pictures from a cat API
Concepts used here are:
Named Credentials
Remote Site Settings
(Note: We will discuss details of named credential and remote site settings in later session)
Inbound Integration (Callin): An external system initiates contact with Salesforce. This means external system makes request to Salesforce. For example. Skippy popsicles making request to Salesforce.
Concept Used here are:
Connected Apps
Oauth Flows
(Note: We will discuss details of connected apps and oauth flows in later session)
Cloudy: Now I got a fair understanding of Callout and Callin.
Simmy: Thats great, now let’s observe something interesting.
1. Cute Cat Pictures API: In this case, you simply take the URL provided by the API and make a request.
Cat API does not require additional authentication, you can directly access and view the cat pictures. It means there’s no need to prove your identity to get access to cat pictures.
2. Weather API: Unlike the Cat Pictures API, the Weather API requires an extra layer of security. It provides an API Key, which must be included in the request header.
This key confirms your identity to the API, ensuring that only authorized users can access the weather data.
Cloudy: Why the Difference in proving the identity?
Simmy: This is Because of ‘Authentication’. Both the API’s use different types of authentications, basically checking your identity before giving you access to API.
Cloudy: Oh, now what is Authentication?
Simmy: Simply put, authentication is like proving who you are. It is like showing your id. For instance, if you are going to Disney Theme Park, you show proof of identity to the Gatekeeper to enter the park.
Cloudy: Why do APIs even need authentication?
Simmy: Most commercial APIs need authentication. Without it, anyone could use the API as much as they want without registering. This could lead to overuse or misuse of the API.
This will make it hard for the API provider to manage traffic or generate revenue from it.
For example, consider how a restaurant delivery app like Zomato uses Google Maps to show where the delivery driver is. If Google Maps didn’t control access with authentication, then any company could flood their service with requests all the time.
Authentication helps keep track of
- who is using the API
- limits how often they can use it
Additionally, there wouldn’t be a way to protect against requests from malicious users that might delete another user’s data. Think about it, what if someone makes delete request?
Cloudy: Oh Clearly, API developers must think about ways to authenticate who make request.
Simmy: Authentication is very tightly linked to another idea – authorization, so let’s understand it.
Authorization is what you are allowed to do after you have proven your identity. Like, after entering the Disney theme park, what all rides you are allowed to take.
In summary:
Authentication: Refers to proving correct identity
Authorization: Refers to allowing a certain action
Cloudy: What are the types of authentication ?
Simmy: Let’s review the 6 most used authentication methods used today. Essentially, different systems use different methods to confirm that users are who they claim to be.
- No Authentication
- API Key
- Basic
- Bearer
- Digest
- OAuth
and others…
(Note: We will understand all the types authentication in detail in upcoming sessions.)
Simmy: Now, we will understand how to read an API documentation to understand what kind of authentication it uses and how to request it using postman
Cloudy: Before this, how do I know what type of authentication to use?
Simmy: By reading the API documentation we get to know which authentication we need to go for. In case of weather API, in the API documentation it is clearly given to access the data we need to use the API key.
Cloudy: Can I see APIs with different authentication in real time?
Simmy: Demo Time
This github repository provides all the Api’s which don’t need any authentication so do check it out.
For Instance, let’s check Random Pics of Food Dishes.
Step 1: Find the Base URL. Here it is https://foodish-api.com/
Step 2: Go to Postman to Test the API
- Put Method as Get Request as you want to retrieve request
- Put the Base URL to test the API
- Click on Send
Notice Status is 200, which means that request is successful and, in the body, you see response.
Step 3: Now Got to API Documentation to see how to fetch a particular resource from the endpoint like food image in this case.
Notice What Kind of Authentication, if you need. Here, there is no mention of Authentication in Documentation means you can access resource without proving your identity.
For instance, I want to see Biryani so I will click on Biryani.
Put the URL https://foodish-api.com/images/biryani/biryani19.jpg in the request and click on the send. In matter of seconds, you will see image of yummy Biryani.
Cloudy: Omg, I started feeling Hungry!
Cloudy: In the very beginning we talked about Callin and Callout. Where does Authentication fits in that picture?
Simmy: Great question! Understanding this can be a bit tricky for beginners, so let’s break it down.
When we talk about making a callout, we need to know type of authentication the system needs to let us access the resource. It can come in different forms, like a simple username and password authentication, to a more secure method like an API key, or even a more complex system like OAuth.
Don’t worry we will understand all the types of authentication in Detail in upcoming sessions.
When discussing inbound integrations in Salesforce, it’s crucial to understand OAuth 2.0 and OpenID Connect. Salesforce utilizes these protocols for robust authentication and authorization.
(Note: We will delve deeper into OAuth 2.0 and OpenID Connect in upcoming sessions.)
Simmy: Let’s have a demo to showcase No Auth in Salesforce.
Demo Time
We have Meal DB API where we see all the meals and recipes of it. Let’s see how exactly it works.
Now let’s focus on few things on documentation
Authentication Type : How it checks our identity to access the resource. In this case meal and its receipe.
What is the base URL – In this case it is – https://www.themealdb.com
What Parameters we need to set to access a particular resource.
Example to access Pasta we need to put – www.themealdb.com/api/json/v1/1/search.php?s=Pasta
Let’s test it in postman as it is very good for api testing.
Put the URL for making the request
-
-
- Put the HTTP method. In this case we will get as we want to retrieve the resource
- Click on Send
- Notice you see a status code. In this case it is 200 which means request is successful
- Notice that there is response in the box in JSON format.
-
Now we want to make the callout in the Salesforce.
1.Remote Site Settings – Go to remote site settings to whitelist the URL.
(note: We can do so using named credentials also, which we will learn about in later session)
Next Step Will be to create a class to make the callout. I have written comment above every single line so it is exactly clear on how to do that.
//Use public for classes that need to be accessed across your entire Salesforce org but not outside to different orgs.
//since callout methods need to be accessible from different parts of your application dont use restrice acces modifier
public class MealDBCallout { // This method performs the HTTP callout to get the pasta recipe. // Use Static so that we dont need to create instance of the class to call it. public static void getPastaRecipe() { // Create a new instance of the Http class to perform the HTTP callout Http http = new Http(); // Create a new instance of the HttpRequest class to define the request details HttpRequest request = new HttpRequest(); //https -data exchange will be secure // Set the endpoint URL for the HTTP GET request // Domain Name that host the api.it is where request is sent - www.themealdb.com // Path - exactly where resource is on the server - api/json/v1/1/search.php // json - resource format // v1 indicates the version of the API // search.php is the specific resource on the server that will process the search query. // ? marks the beginning of the query string. // s is the parameter name, which in this context stands for "search". // Pasta is the value of the s parameter, indicating that we are searching for recipes related to "Pasta". request.setEndpoint('https://www.themealdb.com/api/json/v1/1/search.php?s=Pasta'); // Specify that the request method is GET request.setMethod('GET'); // Set the request header to indicate that the content type is JSON request.setHeader('Content-Type', 'application/json'); // Send the HTTP request and get the response and store in response variable HttpResponse response = http.send(request); // Check if the response status code is 200 (OK) if (response.getStatusCode() == 200) { // Get the response body as a string String responseBody = response.getBody(); // Get the status code Integer statusCode = response.getStatusCode(); //get status message String statusMessage = response.getStatus(); //get the content type String contentType = response.getHeader('Content-Type'); // Log the response body to the debug logs System.debug(responseBody); System.debug(statusCode); System.debug(statusMessage); System.debug(contentType); } else { // Log an error message if the response status is not 200 System.debug('Failed to get a successful response: ' + response.getStatus()); } } }
Call the class
MealDBCallout.getPastaRecipe();
Response.
Go to the Debug Log and you will see exactly the response you got from request.
Simmy: Now that was example of how to make a simple callout, whitelisting url for api which don’t need any authentication.
Cloudy: Well that was fun.
Cloudy – If you enjoyed this document then
Feel free to connect with me on:
● Subscribe to my YouTube Channel
● Follow my Blog – sfdcAmplified
References
Easy Salesforce Integration for Beginers
Easy Salesforce Integration Using Postman For Beginners
Have Fun With API Documentation