Skip to main content
Groups* Salesforce Developers *Jayant D Sande's Question
Jayant D Sande (Salesforce) asked in * Salesforce Developers *
Apr 1, 2023, 8:00 AM

named credentials login per user

@Kevin Poorman @Kevin Poorman

Can we have a developer session /webinar on Named Credentials where Per user Authentication is expected for integration with external system. What I am interested is to UNDERSTAND UI behaviour when user clicks Salesforce Lightning Button to access integration in the background.

As a product feature, should this direct user to third party Login Screen ?

Or User explicitly needs to authenticate via UI before calling service from Salesforce UI?

Or should this flow use JWT?

Its not clear from the documentation what's the BEST practice for Per User integration using named credentials.  Any practical demonstration by Developer evangelist would be good

11 answers
  1. Ross Belmont (Salesforce)
    Apr 6, 2023, 6:10 PM

    Overall my advice is that you must use the Per User option for OAuth (there isn’t much choice there), but we have extra Connect API capabilities that can address the other issues you're facing. So, in reference to the numbered list you posted:

     

    1. Yes, that is correct.
    2. Do not attempt to store tokens for every user on your own. Use the Per User option for OAuth as part of External Credentials. You will notice that the External Credential references the Auth Provider in step 1.
    3. Write your callout code in a way that references the Named Credential, and we’ll pass along that user’s token automatically in the correct header. 
    4. The callout will fail if the current user has not yet authenticated. They can go to External Credentials under their personal settings to click Allow Access and solve this. In theory, you can examine the authentication status of the External Credential programmatically and know if the user has completed this step yet.
    5. Again, we have a UI for this under My Personal Information → External Credentials, but you can also obtain the URL programmatically and surface your own link to it (if you like). When the end user follows this URL and completes the authentication handshake against the remote system, we will automatically capture and store that user’s token in an encrypted manner—you don’t need to manage this. (See point number 2.)

    This is the overall approach I would suggest for someone like yourself using OAuth.

Write an answer...
0/9000