In my external application I have a Session ID (a.k.a Access_Token) and server URL. This may have been sourced from any number of locations. Such as:
- A Composite Apps query string URL on the iframe
- A Connected Apps signed request from a Canvas page
- One of several OAuth flows
- A direct Partner SOAP API login() call with the credentials
I'd like to figure out what I can and can't do with that session identifier I have. The AuthSession.SessionType seems like a good candidate. Assuming I can at least query AuthSession with my current Session ID, how can I determine which AuthSession corresponds to my current Session ID?
There is the
UsersId field, but that could have multiple matches for any single user.
Real world scenario I was trying to solve.
There is some ancient (cira 2008) code that uses
/servlet/servlet.ReportList to get the list of available Reports in an org for the current session user. This app had historically used a Composite App iframe to get the session Id and has been working pretty reliably to date. It fell into the ain't broke don't fix it pile rather than getting upgraded to the newer Reporting API.
Then very recently it started failing with the response
<?xml version="1.0"?><result>Invalid session.</result>. This was very odd, as the problem session Id could be used for any number of other API calls, just not to this servlet.
It eventually dawned on me that the app had very recently been changed to use a Canvas App which didn't have the OAuth web or full scopes. Turns out that without those it wasn't possible to consume that servlet.
But I had no way of telling if the Session ID I was looking at had the required Session Type and no way to reconcile it with the AuthSession records.
This is now partially possible using
This was introduced in Summer'16 (v37.0).