Setting up a named credential for Salesforce REST Web Service

calloutintegrationlightning-web-components

I'm learning integrations and found out about named credentials. I want to set a named credential for my Apex method which performs a callout to my scratch org:

  @AuraEnabled(cacheable=true)
  public static List<Object> restCallout(){
    Http h = new Http();
    HttpRequest req = new HttpRequest();
    req.setEndpoint('https://ability-data-6444-dev-ed.cs102.my.salesforce.com/services/apexrest/Johnny');
    req.setHeader('Authorization', 'Bearer abcdef123456}');
    req.setMethod('GET');
    HttpResponse res = h.send(req);
    System.debug(res.getBody());
    List<Object> objs = (List<Object>)JSON.deserializeUntyped(res.getBody());
    System.debug(objs);
    return objs;
}

Scratch org web service:

@RestResource(urlMapping='/Johnny')
global class WebServiceFactory {
    @HttpGet
    global static void getRecord() {
        List<JSONFactory> JSONs = new List<JSONFactory>();
        for(integer i = 0; i<15; i++){
            JSONs.add(new JSONFactory(i, 'Jan' + i, 'Test' + i));
        
            }
            RestContext.response.responseBody = Blob.valueOf(JSON.serialize(JSONs));
    }
}

I am slightly confused about which Identity Type and Protocol to choose, so that I can avoid typing this line:

req.setHeader('Authorization', 'Bearer abcdef123456}');

Identity Type options:

Anonymous
Per user
Named principal

Protocol options:

OAuth 2.0
Password Authentification
AWS Signature Version 4
JWT
JWT Token Exchange

Could anyone give me a hint?

Best Answer

For a Salesforce to Salesforce connection, use Per user or Named principal with OAuth 2.0 or JWT. The Identity Type "Per user" allows each user in your org to authenticate with a user in the Scratch Org, while "Named principal" uses a single login (what you'd call an "integration user"). Using the Protocol "OAuth 2.0" uses a simple web-based flow to obtain a token, while JWT uses a command-line tool and security certificates, as outlined in the documentation. The most typical configuration is probably Named principal with OAuth 2.0 in most cases.

Related Solutions

[SalesForce] Using Named credential for obtaining sessionid

I don't believe you can use WSDL2Apex if you want to use Named Credentials. You're going to have to roll your own callout in order to use the Http classes. See also (emphasis mine):

Invoking HTTP Callouts

Apex provides several built-in classes to work with HTTP services and create HTTP requests like GET, POST, PUT, and DELETE.

You can use these HTTP classes to integrate to REST-based services. They also allow you to integrate to SOAP-based web services as an alternate option to generating Apex code from a WSDL. By using the HTTP classes, instead of starting with a WSDL, you take on more responsibility for handling the construction of the SOAP message for the request and response.

That last sentence is especially telling. So the tradeoff for using Named Credentials would seem to be taking on quite a bit more coding responsibility.

Also take a look at Apex Web Services and Callouts:

With 'Callouts', where Apex invokes an external web service, Apex provides integration with Web services that utilize SOAP and WSDL, or HTTP services (RESTful services). Apex supports the importing of WSDLs to auto-generate the corresponding Apex classes. Additionally, Apex supports HTTP services to use HTTP Request and Response objects to invoke the external web service. These concepts are covered in the Apex Callouts section.

Unfortunately there are no examples of using Http to make SOAP based calls, and indeed the documentation seems to reinforce that it is geared towards REST:

HTTP (RESTful) Services

Apex supports HTTP Services with several built in Apex classes to creating HTTP requests like GET, POST, PUT, and DELETE. There are 3 main classes:

HTTP Class: Use this class to initiate an HTTP request and response.

HttpRequest Class: Use this class to programmatically create HTTP requests.

HttpResponse Class: Use this class to handle the HTTP response returned by the HTTP.Send() operation.

Together, these classes support the ability to develop HTTP request/response functionality within Apex. Using these HTTP classes supports the ability to integrate to REST-based services. It also enables the ability to integrate to SOAP-based web services as an alternate option to leveraging WSDL2Apex. By using the HTTP classes, instead of WSDL2Apex, the developer has more responsibility to handling the construction of the SOAP message both for the request and the response.

It seems like the easiest route may be to look into the steps listed out in the REST API Developer Guide:

Understanding Authentication

Salesforce uses the OAuth protocol to allow users of applications to securely access data without having to reveal username and password credentials.

Before making REST API calls, you must authenticate the application user using OAuth 2.0. To do so, you’ll need to:

Set up your application as a connected app in the Salesforce organization.

Determine the correct Salesforce OAuth endpoint for your connected app to use.

Authenticate the connected app user via one of several different OAuth 2.0 authentication flows. An OAuth authentication flow defines a series of steps used to coordinate the authentication process between your application and Salesforce.

Supported OAuth flows include:

Web server flow, where the server can securely protect the consumer secret.

User-agent flow, used by applications that cannot securely store the consumer secret.

Username-password flow, where the application has direct access to user credentials.

After successfully authenticating the connected app user with Salesforce, you’ll receive an access token which can be used to make authenticated REST API calls.

[SalesForce] Salesforce REST API Named Credential INVALID_SESSION_ID

Salesforce doesn't support direct Password Authentication to use the REST API. Typically you would go through an OAuth flow to get a valid access token to then call the service. You could go down this path by creating a Connected App and Authorization Provider, but that seems like a lot of work to get something you already have in Apex.

Instead, in Apex you can just use the UserInfo.getSessionId() in place of the access token in the Authorization header.

I've put together the following anonymous Apex to show how little is required. You will also need to add the Remote Site setting for your URL.

String restApi = URL.getSalesforceBaseUrl().toExternalForm() + '/services/data/v40.0/sobjects/';  

HttpRequest httpRequest = new HttpRequest();
httpRequest.setMethod('GET');
httpRequest.setHeader('Authorization', 'Bearer ' + UserInfo.getSessionID());
httpRequest.setEndpoint(restApi);

try {  
         Http http = new Http();   
         HttpResponse httpResponse = http.send(httpRequest);  
         if (httpResponse.getStatusCode() == 200 ) {
             string response = JSON.serializePretty( JSON.deserializeUntyped(httpResponse.getBody()) );  
             System.debug('REST API Response : ' + response );
         } else {  
               System.debug('httpResponse: ' + httpResponse.getBody());
               throw new CalloutException(httpResponse.getBody());
         }   

} catch( System.Exception e) {
         System.debug(LoggingLevel.ERROR, 'ERROR: '+ e);
         throw e;
}

Best Answer

Related Solutions

[SalesForce] Using Named credential for obtaining sessionid

Invoking HTTP Callouts

HTTP (RESTful) Services

Understanding Authentication

[SalesForce] Salesforce REST API Named Credential INVALID_SESSION_ID

Related Topic