External Services: Set up Named Credentials for OAuth 2.0

/ ForcePanda

As an admin, if you’re thinking what the heck is OAuth 2.0 and do I really need to learn everything about it? Probably not everything, but it’s something you should really know(at least, basics) if you’re trying to set up integration between Salesforce and any other external system, doesn’t matter if you’re using Apex or External Services.

Oh btw, this article is a follow up post of my previous article, External Services: Authentication and Named Credentials.

So, what is OAuth 2.0?

Simply put, OAuth 2.0 is the industry-standard protocol(NOT specific to Salesforce) for providing authorization to web applications. We’re not going to dive further into how it works, but if you’re interested in learning more, you can check videos on the Ladies Be Architects YouTube channel.

So what are we going to discuss really?
Well, we’re gonna learn, step by step, how we can simply set up Named Credentials for OAuth 2.0.

Please note that the process of the set up will be more or less same for the all the external systems that use OAuth 2.0, so I’ll try to provide generic step by step flow.
To relate these generic steps with an example, you can refer to this article(for Slack) by Liz Skaates.

Step by Step Flow

Step 1: Sign up for the Webservice.
First thing you need is an account for REST API that you want to integrate with.

Step 2: Set up the App and set up permission(scopes).
This app basically provides authorization to user who’s trying to access the API. For most of the well known APIs, you’ll find the instructions to create this app in the authentication(name can vary) section of the REST API documentation. After, or while creating the app, you’ll need to set up OAuth scopes. Scopes basically define the level of access a user will have. Scopes will vary from API to API.

Once you create the app, you’ll get something called Client ID and Client Secret. Copy paste them somewhere because we’re gonna need them in the next step.

Note: In salesforce this “app” is equivalent to Connected App, in Slack it’s simply called App, in GoToWebinar it’s called OAuth clients. So the “app” may go by different names based on different APIs, but all of them do the same thing.

Step 3: Set up Auth. provider in Salesforce

  • In your Salesforce org, go to Setup -> Auth. Providers and click on New.
  • In the “Provider Type”, select Open ID Connect if your API is NOT listed in the picklist.
  • Enter a relevant name
  • For URL suffix, choose a short and relevant word(s). This is going to be used as a suffix in the client configuration URLs.
  • Enter Client ID & Client Secret(from the “app” ) in Consumer Key and Consumer Secret.
  • Authorize Endpoint URL and Token Endpoint URL is something you’ll find in the authentication(name can vary) section of the REST API documentation.
  • Check “Send client credentials in header” checkbox.
  • Leave the rest as it is and hit Save.
  • Scroll down and copy the Callback URL from the Salesforce Configuration section(this section has all the ‘client configuration URLs’).
  • Go back to the app we created earlier and add the Callback URL in the app. There should be an option somewhere within the app to add Callback URL(s)/Redirect URL(s).

Step 4: Create Named Credentials and authenticate.

  • In SF org, go to Setup -> Named Credentials and click New.
  • Enter a relevant name.
  • For URL, enter the host URL of the API, should be something like:
    https://example.com
  • Choose Identity Type as Named Principal (you can also choose “Per User” but that’s a topic for another day maybe)
  • Authentication Protocol = OAuth 2.0
  • Authentication Provider = <Select Auth. Provider we created in step 3>
  • Check the “Start Authentication Flow on Save” checkbox.
  • Hit Save.

This should initiate the auth process and you’ll be redirected to a page of the external API asking for permission. Click on Allow to succesfully authenticate yourself.
If all goes well, you’ll see “Authenticated Status” on the Named Cred as “Authenticated”.

And that’s pretty much it! 🙂
You can now use this Named Credential in External Services(also, in Apex or External Data Sources).

Hope you find this useful! Catch you in the next one! ✌
And thank you for being an awesome reader! Subscribe to this blog for receiving all the latest updates straight to your inbox. 🙂

14 thoughts on “External Services: Set up Named Credentials for OAuth 2.0

  1. Pingback: From Narender Singh: External Services: Set up Named Credentials for OAuth 2.0 – UnofficialSF

  2. Great Article Narender. I am trying to implement this for my usecase and not able to figure out how to make it work.

    I have a Token URL; Client ID, Secret Key and API URL from the vendor supplying the API.
    Eg:
    Token URL: https://api.com/abc/def/auth/token
    Client ID: sdfasdfjhasdofiuashdfoiasdfasdf
    Secret Key: sdfasdkfjhasdkfjh
    API URL endpoint: https://api.com/abc/def/xyz/cab/apimethod

    Using Postman, I am able to access the token url, supply the client id, secret key, get the token and POST to the API URL and get a success message. All I am trying to do it authenticate to the endpoint.

    But using Auth Provider and Named Credential, I am not able to get thru. Thoughts?

    Like

    Reply

      • Ty!. This is a custom API built by one of our clients. And yes it supports Oauth 2.0 as I am able to hit it using postman. Upon further research, I see the difference I am seeing between postman and salesforce is that, Postman allows me to set grant type = Client Credentials but SF does not give me that option. I think it uses grant type = authorization code? I don’t know how/where to set it to client credentials Ty

        Like

      • I’m not 100% sure, but it does use “Auth. Code” as grant type. And I don’t think you can set the grant type explicitly.

        What happens when you initiate Oauth via Named Creds?

        Also, it might be worth asking the client to support authorization code as grant type on their API.

        Liked by 1 person

  3. Hello!
    Thanks for the great article!
    I am trying to connect to the Clearbit Person Stream API – I have an Authorization key which I put in the header of Postman and Value – Bearer XXXXXXXXXXXX .
    How do I go about implementing this?
    Do I still need a connected App?

    Thanks!

    Like

    Reply

  4. Hi Narender, Great Article! I just wish I could make my use case work as easy as this seems like it should be. My scenario is trying (ultimately) make a callout to an API (Experian) via APEX, but cannot get past getting the named credentials to authenticate. (getting {“errorType”: “Unauthorized”,”message”: “Access to the requested resource is not allowed”})

    I am able to connect to the API via Postman, but cannot seem to get the SF Named Credential configured. I have gone thru the steps you have listed and just cannot figure out why or what is missing. (if you wanted to try, you can self register for the webservice at Developer.experian.com (Apps: (US) Businesses/premierprofiles, or would be happy to grant you access to my dev org)).

    Any insight would be greatly appreciated.

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.