[SalesForce] Named Credentials: How to Start OAuth flow

I'm using Named Credentials with OAuth authentication. When calling a method on the endpoint, my Apex app receives back the status that the token needs to be refreshed.

How do I tell Salesforce to start the OAuth process for my Named Credential?

Added

Everything is setup and works fine:

  • The external SAAS service uses OAuth Authorization Code Grant with its own OAuth endpoints.
  • Created Authentication Metadata in SFDC for the service
  • Wrote and installed an Auth Provider Plugin Apex class
  • Authorized the Remote Site for just the authorization service (not for the API url itself.)
  • Added the new Auth Provider
  • Added the new Named Credential

Next

  • Each user then adds an entry for the Auth Provider via their Personal Settings / Authentication Settings for External Systems screen.
  • Completing this step causes the OAuth process to happen: the browser is redirected to the SAAS service's authentication service. After authenticating and authorizing the app, the person is returned to SFDC.
  • At this point, the person can use the Apex application which makes use of the Named Credential.
  • Life is good.

However, 8 hours later, the token needs to be refreshed.

The best would be for my Apex program to be able to rerun the OAuth flow. The user would then re-login, as needed.

So back to the original question: How do I tell Salesforce to start the OAuth process for my Named Credential or for the user's Authentication Settings for External Systems record?

Currently, if my Apex program detects that the user needs to re-authenticate, I give them the following instructions. What I want is to give the user a button that they push. That would cause the OAuth flow to start.

  • From My Settings, enter auth in the Quick Find box, then select
    Authentication Settings for External Systems
  • For the -saas service- entry, click Edit then click Save.
    Depending on your -saas service- security settings, you may be redirected to the -saas service- to sign in.
    More information.

Best Answer

Once you are authenticated you don't need to re-authenticate with external service again.

Every external system provide refresh token with access token and using that refresh token you need to refresh the access token.

You can use batch which will run in backend and refresh your access token. Schedule this batch to run in 7 hours.

To refresh the access token using refresh token you can follow these links.

  1. OAuth 2.0 Refresh Token Flow

Although this is link for SF token but the basic idea will remain same here.

Sample code.

POST /services/oauth2/token HTTP/1.1
Host: https://login.salesforce.com/ 
grant_type=refresh_token&client_id=Your client id here&client_secret=Your client secert here
&refresh_token=your token here

For the second point where you need to re-authentication you can do one thing. Create a checkbox and if checkbox is true then update record type with a button for re-authentication and once user click on this button and re-authenticate you can again change the pagelayout and hide the button.

In your batch if you get time 0 then update the record with checkbox true.so user can see the button for re-authenticate.

And as you are system admin so you need to store their access token and refresh token in some place and your code can access it from there.

Related Topic