Can't Authenticate

[bobbywhitesfdc]

Auth Provider fails to connect through the UI. Callback post displays a cryptic message in a browser page.

[bobbywhitesfdc]

Check that the Authentication Provider configuration is correct.
Name should be the same as URL Suffix.
If you choose different values, you must override the Callback URL.
Callback URL will be generated by Salesforce when you create the Authentication Provider configuration. In the attached screenshot, the value is listed on the bottom of the page as "Callback URL".

[svk1993d]

Hi @bobbywhitesfdc ,

I have same callback URL in the configuration as shown, but the problem is initiate() method is returning generatedURL which is https://{salesforce-hostname}/services/authcallback/Apigee?code=999&state=XXXXX..... Still I am getting error saying "We can’t log you in because of an authentication error. For help, contact your Salesforce administrator."

Can you please help me if I am doing anything wrong here?

[bobbywhitesfdc]

1. Please check that your APIGee endpoint URL (Access Token URL) has been "whitelisted" via a RemoteSiteSetting. If it's not, Salesforce will disallow that initiate callout and the overall flow will fail. While it's difficult to debug, the AuthProvider has some System.Debug() statements in each method so you can enable debugging for the "Execute as" user and get some hints there.
2. Can you trace on the Apigee Gateway side? Apigee can have many nuanced configurations. See the "Use JSon Encoding" setting as one example. Apigee can be configured to expect XML or JSON encoding.

[svk1993d]

Hi @bobbywhitesfdc,

Thanks for the prompt reply!

1. I have configured the Apigee endpoint URL in RemoteSiteSetting for whitelisting.
2. I can request Integration to enable trace logs.

But one thing which I am not able to understand is the authorization which is taking place which is in the initiate() method is not needed for the API I have been provided with. They just need the auth key and token URL to get the auth token. Is there anyway we can bypass the initiate method and still authenticate?

[bobbywhitesfdc]

The AuthProvider interface is pretty rigid. Essentially it was design for interactive "OAuth 2.0 Web-Server Flow". Non-interactive flows like Client Secret or JWT Bearer flow just have to "fake out" the steps that aren't needed.

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_class_Auth_AuthProviderPluginClass.htm

https://help.salesforce.com/articleView?id=remoteaccess_oauth_flows.htm&type=5

When you are troubleshooting and looking at the Debug Logs, paying attention to the Debug Messages that signal how far you've progressed will be key to correcting the configuration.

1. Initiate
2. Handle Callback
3. Retrieve Token

[svk1993d]

Hi @bobbywhitesfdc ,

Thank you so much for guidance. I was able to get the auth token by modifying the initiate() method and the HTTP request parameters.
There is one more doubt I have about refreshing the auth token and will be really helpful if you can provide some help. Since this is Client Credentials Authorization, so ideally there will be no refresh token supplied with auth token. Through the Named Credentials if I put refresh_token in scope, will it be able to serve the purpose or should I do it via Apex?

Thanks!

[svk1993d]

Hi @bobbywhitesfdc,

After successfully authenticating the Named Credentials as per your guidance above, I kept the scope as "refresh_token full" for auto-refreshing the Auth Token. But it seems to be not working as expected. It should refresh Auth Token automatically and when the token expires, the following error is received on APIGEE end "Error 401: Provided JWT Token might be expired, Please provide a new JWT Token".

Can you please help me understand if this is something needs to done APIGEE or SF?

[bobbywhitesfdc]

hi @svk1993d,
In my experience the Client Credentials and JWT Bearer flows don't typically include a refresh token. I'd remove that scope. When the authtoken expires, the platform will simply get another one from scratch instead of attempting to do a refresh.
Give that a shot.
Best regards,
Bobby

[svk1993d]

Hi @bobbywhitesfdc ,

Thank you for the approach. I have done the changes as per your suggestion and will wait for tomorrow to check if this is working or not.
I will keep you posted on that!

Regards
Souvik

[svk1993d]

Hi @bobbywhitesfdc ,

I tried with the above approach but this also seems to be not working. The named credential is still not able to get a refreshed Auth Token after expiry.
Is there any other way which you can suggest in this case? Do I need to configure the Connected App to cater this?

Thanks
Souvik Dinda

[bobbywhitesfdc]

The expected behavior here is that the Salesforce platform would automatically detect when the AuthToken is expired and would attempt to refresh it. This AuthProvider implementation treats the "refresh" attempt the same way it treats the initial authtoken request. It starts from scratch and doesn't use a refresh token. I'm not sure why you're having this trouble.

See:

/**
        Refresh is required by the parent class and it's used if the original Access Token has expired.
        In the Client Credentials flow, there is no Refresh token, so its implementation is exactly the
        same as the Initiate() step.
    **/
    public override Auth.OAuthRefreshResult refresh(Map<String,String> config, String refreshToken) {
        System.debug('refresh');
        final TokenResponse response = retrieveToken(config);
        return new Auth.OAuthRefreshResult(response.access_token, response.token_type);
}

[svk1993d]

Hi @bobbywhitesfdc ,

Thank you so much Bobby for the help. It worked finally!

Regards
Souvik Dinda

[utkarshdixit10]

Hi @bobbywhitesfdc , I have set up a custom Auth provider using the recommended solution in this repo, I used named creds but I am not able to authenticate the Named Cred and getting below error. Any help that you may provide is really appreciated.
**We can’t log you in because of the following error. For more information, contact your Salesforce administrator.

Remote_Error: The remote service returned an error**

[bobbywhitesfdc]

That's pretty vague -- can you provide any debug logs?
Without knowing these details, please double-check the following

• Remote Site setting -- You've got to explicitly whitelist the OAuth endpoint URL (Access Token URL) by creating a Remote Site Setting ( or separate Named Credential for it)
• Consumer Key & Client Secret -- Double check that these are correct

[utkarshdixit10]

I apologize for being less detailed, I got it through and my Named cred is now Authenticated.
I have hit another roadblock now. The Auth provider in my case is Azure and that provides the token, The callout end point is in Mule and it requires the Client ID and Client Secret of the end system in the header. So I am required to send these in the header attributes along with the token. I tried using {!$Credential.OAuthToken} to send the token, but getting below error.
System.CalloutException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 503 Service Unavailable"

I understand it could be because of multiple reasons but I want to ensure that we can send the OAuth token in this flow using Credential.OAuthToken because when I add debug log to get the value of this, I get just text printed as Credential.OAuthToken

[utkarshdixit10]

@bobbywhitesfdc , I got this working now. Thanks for helping.

[bobbywhitesfdc]

For the benefit of others, can you outline what steps you took to debug and resolve?

[AyoubOua]

svk1993d

Hi svk1993d, could you please tell me how you fixed the problem with refreshing the token after is getting expired, I'm having this problem right now.
Thank you

[alphaseenu]

Thanks MyF5 component got authenticated. I wanted to see the logs of Custom Auth Provider plugin when I use the client Creds in Making api calls. I hv put a trace for "Execute As" user but not logged. is there any way ?

[crystalz2022]

@bobbywhitesfdc Hi Bobby! we were trying to deploy to our SB. However, we run into the following issues. Could you advise?

Error temp/authproviders/ApigeeEval.authprovider ApigeeEval In field: ExecutionUser - no User named [email protected] found
Error temp/dataSources/TrailheadEx.dataSource TrailheadEx This org does not have the appropriate permissions to use the 'OData' data provider
Error temp/dataSources/TrailheadEx.dataSource TrailheadEx In field: authProvider - no AuthProvider named ApigeeEval found

[m-bolledla]

Hi @utkarshdixit10 , I am facing the same issue as you have mentioned to be resolved earlier
"Remote_Error: The remote service returned an error**"

Can you kindly provide the steps to debug and resolve this issue.
Thanks.

[mateuszchalabaTTMS]

@m-bolledla so do I, exaclty the same error, i've checked all parameters, looks fine, but im not able to debug handleCallback method, i do not even know if this method fires or not

@utkarshdixit10 @bobbywhitesfdc can you help us?

[pratikpatil2602]

@utkarshdixit10 Can you please let me know the steps how you resolved the issue

**We can’t log you in because of the following error. For more information, contact your Salesforce administrator.

Remote_Error: The remote service returned an error**