1

I have 2 Salesforce orgs (with identical code) - a hub and a client. I need to pass data from the hub to the client. Using S2S is fine for normal data, but when it comes to files (eg pdf) we can't use this.

I have a RestResource which accepts data from a third party (works fine) into the hub in JSON format, which includes the pdf. I need to push this to the client org and can use the same RestResource as it'll be the same JSON that is passed on, basically. I am trying to use a Named Credential to set up the link to the client org, but am unsure of what to do. We control both orgs.

In the hub org we have a dedicated user for API login(used by the 3rd party to pass through the JSON initially), but in the client org we don't have any spare logins, and I'm loathe to use the admin login for the Authentication. I've done a test and connected successfully using 'No Authentication' for the Authentication Protocol so I know the url works, but because it needs authentication to do the processing, I need to now add that in.

I'm confused by OAuth as that seems to be for things like LinkedIn, FB, etc as it needs the Authentication Provider. Using Username/Pwd seems to not be a good option as I only have the admin user I can use, which doesn't seem like the most secure option (or is it?). I don't know what AWS or JWT are for.

What do I put into the Authentication section? I can get the client/secret keys from the client org and create anything I might need in there, but am just not sure what the best option is.

I've created an Auth Provider and a Named Credential as below - both in the Hub org, but am getting an error when I try and save the NC. Where does the RestResource endpoint in the client get added in? Only where the callout is made? The key/secret are from the Connected App in the client org.

enter image description here

enter image description here

Irene
  • 1,811
  • 4
  • 36
  • 76

1 Answers1

2

Create a new Auth Provider (Setup > Identity > Auth. Providers) for Salesforce, then you can use Named Credentials. Use OAuth, and you won't need to worry about username/passwords, even if the admin changes their username or password; the session will be maintained for you. Only users with Author Apex could possibly write code to even use the Named Credentials, so it is as secure as you make it (e.g. whatever Apex you write to allow access, if you even allow access at all). The Bearer token will never be exposed in logs or elsewhere, nor is there any way to retrieve the token. Overall, it's a very safe option.

sfdcfox
  • 489,769
  • 21
  • 458
  • 806
  • Auth Provider setup in which org - Hub or client? – cropredy Jul 29 '20 at 22:32
  • So I create it using Provider Type = Salesforce? Do I need to add any info other than the client key/secret (of my Connected App from the client org)? – Irene Jul 29 '20 at 22:51
  • @Irene Auth Provider goes in the org making the callouts, along with the named credential. You will need the URL, client key, client secret. When you save it, you'll go through the OAuth login flow, where you'll use the username/password or SSO to authenticate, and then you're done. – sfdcfox Jul 29 '20 at 23:06
  • Okay, I've created the Auth Provider in the hub org with Provider Type=Salesforce, given it a Name, the URL Suffix defaults to the Name, I've pasted in the Key/Secret from my client org and left everything else blank. When I save it I see in the Salesforce Configuration section (of the Auth Provider) several URLs with the correct MyDomain name of my client org. If I use this in my Named Credential I get this error : "error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration". I've only selected Id Type, Auth Protocol and Auth Provider. What is wrong? – Irene Jul 29 '20 at 23:19
  • The URL in my Named Credential is the RestResource in the client org - is that correct? – Irene Jul 29 '20 at 23:21
  • @Irene Just the main endpoint is necessary (e.g. https://mydomain.my.salesforce.com), then you can add the endpoint on to it (e.g. callout:myOtherOrg/services/data/v48.0/apexrest/myrestservice) – sfdcfox Jul 29 '20 at 23:31
  • @sfdcfox We got this setup in production, but it was (and is) failing in our sandbox. Do we need to create a separate OAuth provider & Named credential per sandbox? Obviously that's really manual and not idea/maintainable over time - not sure what the best practice is here – Brian Miller Jul 29 '20 at 23:37
  • @sfdcfox I've edited the URL in my Named Credential to just the main endpoint, but as soon as I try and save it I get the error I mentioned earlier. I'd like to send screenshots of what I have as I'm not sure I have it correct. – Irene Jul 29 '20 at 23:45
  • @sfdcfox I've edited my question to include screenshots of my current setup. The Salesforce Configuration section in the Auth Provider points to the Hub org - is that correct? – Irene Jul 29 '20 at 23:58