Named Credential authentication with GoToWebinar (OAuth2)
Salesforce Asked by Deployment Failure on September 13, 2020
I am trying to connect Salesforce with GoToWebinar (GTW) to automate webinar activities within my Salesforce app. I am attempting to use Named Credentials (OAuth2) to authenticate with GTW.
I have followed their documentation on how to authorise users, and also found another posted on here in another question thats experienced issues.
Following both pages I created the following:
GTW OAuth Client
Auth Provider
(the callback URL is added in the GWT OAuth client settings)
Self Signed Cert
Named Credential
When I save the Named Credential it initiates the auth flow, but GTW returns an unexpected error, problem is because its all in the UI I can’t really debug what the issue is.
I have also tried running the following anon apex to run a test endpoint request:
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:GoToWebinar/G2W/rest/v2/organizers/(MYORGID)/webinars');
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());
This returns a 403 error in the response.
Can anyone help me debug this issue?
One Answer
I was able to set up a named credential to GoToWebinar(trial version) on my developer org and also get a successful HTTP response (status code 200) for the anonymous apex code given in your question. As mentioned in the other link in your question, enabling 'Send client credentials in header' in the Auth provider settings is essential.
The problem I see in your screenshots are the scope values (for both Auth Provider & Named credential). According to Salesforce documentation here,valid scopes vary depending on the third party; refer to your third-party documentation. But the values you have used are Salesforce scopes (which are invalid for GTW). Hence, when OAuth flow is initiated (upon Named credential save), GTW doesn't recognize the value as valid scope and refuses to authenticate & authorize. In your case, you should be referring to client app (OAuth client) created in GoToWebinar for valid scope values (see screenshot below for reference)
The valid scope value for the client app shown in this screen shot is 'identity:scim.me collab:' and you should be specifying this value either in the Auth providers settings or in the Named credential. It's not required to specify in both the places. The scope specified in Named credential will override the default scope specified in the Auth Provider. If scope is not specified in Named credential, then the Auth provider scope will be used.
Also, your apex code is missing the required query parameters (fromTime & toTime) for the REST endpoint. Refer to the official documentation here. GTW will respond with a HTTP 403 or 401 for incorrect endpoints. With the correct parameters, I was able to get a successful response.
UPDATE: [This section outlines a specific problem related to access token expiry and how it is handled between Salesforce & GoToWebinar.]
Enable 'Allow Merge Fields in HTTP Header' in the Named Credential settings. This seems to be essential for fetching a new access token after the existing access token expires. [The screenshots in your question shows this option enabled, but not sure if you had this disabled later]
The access and refresh token received from GTW during the initial auth handshake are valid for 60 min and 30 days respectively. After the access token expires, any web request sent to GTW should send an 401 HTTP status response and the caller (in our case SF thru Named Credential & Auth Provider) should be able to fetch a new access token using the refresh token. But, unfortunately that doesn't happen because GTW sends HTTP status codes 403 or 400 for any request that is missing parameter or has incorrect end point URLs. So, a new access token is not fetched and the web request fails.
Although, I couldn't find any official documentation from Salesforce, enabling 'Allow Merge Fields in HTTP Header' seems to send additional required parameters in the callout and GTW is able to respond with a new access token.
Hope this helps.
Correct answer by arut on September 13, 2020
Add your own answers!
Ask a Question
Get help from others!
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?
Recent Answers
- Jon Church on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- haakon.io on Why fry rice before boiling?
- Peter Machado on Why fry rice before boiling?