Salesforce Merge API authentication using Bearer token - api

Im completely new to Salesforce and API's.
Im trying to make a Merge record call using SOAP API . Using Postman for the same .
I have imported the WSDL to my local , Called Login method to get the serverURL and sessionId.
Using these parameters to make subsequent merge calls .
During the login , I have used username and password to authenticate .
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<login xmlns="urn:enterprise.soap.sforce.com">
<username>username</username>
<password>password+auth_token</password>
</login>
</soap:Body>
</soap:Envelope>
and getting the below response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns="urn:enterprise.soap.sforce.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<loginResponse>
<result>
<metadataServerUrl>https://**company_name**--dev.my.salesforce.com/services/Soap/m/54.0/00D0Q0000000QP8</metadataServerUrl>
<passwordExpired>false</passwordExpired>
<sandbox>true</sandbox>
<serverUrl>https://**company_name**--dev.my.salesforce.com/services/Soap/c/54.0/00D0Q0000000QP8/0DF0Q0000004Ct6</serverUrl>
<sessionId>**masked**</sessionId>
<userId>xxx</userId>
<userInfo>
.....
</userInfo>
</result>
</loginResponse>
</soapenv:Body>
</soapenv:Envelope>
Later im making the Merge call using the session ID returned from the above .
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:enterprise.soap.sforce.com"> xmlns:sobject="urn:sobject.enterprise.soap.sforce.com">
<soap:Header>
<urn:SessionHeader>
<urn:sessionId>**masked**</urn:sessionId>
</urn:SessionHeader>
</soap:Header>
<soap:Body>
<merge xmlns="urn:enterprise.soap.sforce.com">
<request>
<masterRecord xsi:type="sobject:Account" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Id xmlns="urn:sobject.enterprise.soap.sforce.com">0010Q00001abcdefgh</Id>
</masterRecord>
<recordToMergeIds>0010Q00001ijklmnop</recordToMergeIds>
</request>
</merge>
</soap:Body>
</soap:Envelope>
and able to merge the records.
My question is - what should the body be if i donot want to use username and password but use Bearer token.
Can i call the login method without passing username and password?

You might be a victim of XY problem. You can't do it in SOAP API, will REST API be an option?
SOAP API's login call demands username and password (+ optional "security token", extra thing you add to password if you log in from untrusted IP). There are no other ways around it.
REST API has more options for logging in but it'd help if you read up about OAuth2 a bit before diving in. You call login and (similar to SOAP API) get back endpoint to use from now on and access_token. That access_token acts like SOAP APIs session id, you use it in next requests. Most of the time they should be interchangeable, access_token obtained via REST should be good to use in SOAP API calls.
If you already have session id / access token (will look like "00D...!....", first part is org id which you can see in Setup -> Company information for example) - you don't need login call. Call the SOAP API's merge directly and pass that value in <urn:sessionId>.
If you don't have session id, want to log in but without hardcoding username and password in your application... You have LOTS of options. Selecting right method is an art and it depends what are you making. A website, a mobile app? For internal users or community? Will it hold some credentials (for example if it needs sysadmin powers, working in background without human interaction) or will it show users the SF login screen and redirect back to the app? There's even "Internet of Things" stuff for pieces of equipment reporting their status to SF or logging in on device without keyboard (TV, fridge) where you initiate process there and finish on laptop or phone...
If you've never heard about OAuth2 before it's a big topic, "login with Google/Facebook/Twitter/LinkedIn" is just a piece of it. You'll be better off reading some blogs, checking out https://trailhead.salesforce.com/en/content/learn/trails/build-integrations-using-connected-apps or even studying to the Identity and Access Manager certification. Clicking through https://openidconnect.herokuapp.com/ might help too.
There's "username-password flow" which looks almost like SOAP API's login.
There's web server flow and user-agent flow for websites & mobile apps to send user to SF login screen (can be really SF, can be some single sign-on, doesn't matter) and back to the app. So your app doesn't see the password, doesn't see any credentials
There's refresh token option in some of these flows (you logged in once with another method, your app received access_token but also refresh_token. When access expires - app can use refresh_token to silently get back to the system without asking user to log in again. For 60 days for example). So you could still have initial "human authorises connection between the apps" but then it can just work in the background
There's JWT flow which you'll have hard time trying in Postman but there are examples such as this and this. You establish trust between SF and your app by uploading a certificate to Salesforce, marking user as allowed to use this method and then the app sends a special request just with username, no password needed.

Related

Sonos SMAPI : AuthTokenExpired faults ignored in getLastUpdate and getMediaUri response

We are integrating the Sonos API.
We chose not to implement token refresh and so our tokens last for 1 year until when the user has to reauthorize again.
During my tests, I successfully get the reauthorize popup when the AuthTokenExpired fault is returned while browsing (in response to getMetadata).
But every time the Fault is returned from a call to getMediaMetadata, I get the default error message "Unable to play the radio station". I would expect to see the reauthorize popup instead.
Quoting from Sonos documentation about authentication tokens :
If you do not implement refresh tokens, when the token expires, return the Client.AuthTokenExpired fault to indicate the user must manually log in and authenticate again. The Log-Message is a string placed in the log messages for this fault code.
Here is the problematic dialog between our SMAPI server and Sonos application/speaker :
31/03/2020 14:24:27 641 SonosApi Request http://www.sonos.com/Services/1.1#getMediaMetadata "<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<credentials xmlns="http://www.sonos.com/Services/1.1">
<deviceId>78-28-CA-9F-86-8E:8</deviceId>
<deviceProvider>Sonos</deviceProvider>
<loginToken>
<token>1fa35465a-6bbc-4cf4-b46f-0e12be5b3216</token>
<householdId>Sonos_W6VyCDwgI8ZadAWceKQ1avPrtd</householdId>
</loginToken>
</credentials>
<To s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://dev8.local.st-corp.fr:8001/SonosService.svc</To>
<Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://www.sonos.com/Services/1.1#getMediaMetadata</Action>
</s:Header>
<s:Body>
<getMediaMetadata xmlns="http://www.sonos.com/Services/1.1">
<id>14740</id>
</getMediaMetadata>
</s:Body>
</s:Envelope>"
31/03/2020 14:24:27 875 SonosApi Reply "<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header />
<s:Body>
<s:Fault>
<faultcode>s:Client.AuthTokenExpired</faultcode>
<faultstring xml:lang="fr-FR">The token is expired</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>"
Edit:
Refering to the updated documentation and your answer, I should only return AuthTokenExpired fault in calls to getMetadata and getMediaUri.
But what should I answer to a call to getMediaMetadata knowing that the access token is expired ?
Looking at my messages logs, I see that when a user click on a streamable item, the following calls are made in the following order :
getMediaMetadata (what would be the answer here knowing the token is already expired ?)
getMediaUri (AutTokenExpired should be handled here)
Correct me if I am wrong, but in order to build the call to getMediaUri, the Sonos client use the id returned from the last call to getMediaMetadata, which I can't provide because the token is already expired. Wouldn't it be better to handle AuthTokenExpired first in getMediaMetadata ?
Regards
The browse (getMetadata) and getMediaURI calls will respect the AuthTokenExpired fault. The re-authorization flow for these calls work as described in the Refresh expired authentication tokens section of the Use authentication tokens documentation. I'll update the documentation to reflect this.
If this does not work, submit a diagnostic to debug it. See support.sonos.com/s/article/141 for instructions. Copy your diagnostic number and email it to developer-feedback#sonos.com along with the time window, Sonos household ID, and your StackOverflow username.
You mentioned that when you send a fault in response to getMediaURI, you get an error message, but your example shows a getMediaMetadata call.
Sonos does not launch the re-authorization wizard when your server returns an AuthTokenExpired fault for getLastUpdate. When the Sonos speaker makes a getMediaMetadata call and it fails, it does not start playback. The user will also see that playback failed.

When using Quickbooks Online API Collections for Postman I'm getting an Authentication Error

I've gone through the steps shown here https://developer.intuit.com/docs/0100_quickbooks_online/0100_essentials/000300_your_first_request/first_request_with_postman#/Configuring_the_Postman_Authorization_header-1500 to use Quickbook's API Collection for Postman.
In Postman, I was successfully able to get a new access token. I also updated the {{baseurl}} to be "sandbox-quickbooks.api.intuit.com", and updated the {{companyid}} (aka the "RealmId") to be the appropriate value as shown in the "Manage Sandboxes" page of the developer site (i.e. https://developer.intuit.com/v2/ui#/sandbox).
BUT when I click "send" on the "Customer-ReadById" query (or any other query in the collection), I get the following Authentication error:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<IntuitResponse xmlns="http://schema.intuit.com/finance/v3" time="2017-08-16T11:52:00.611-07:00">
<Fault type="AuthenticationFault">
<Error code="100">
<Message>General Authentication Error</Message>
<Detail>AuthenticationErrorGeneral: SRV-110-Authentication Failure , statusCode: 401</Detail>
</Error>
</Fault>
</IntuitResponse>
My next step was to verify that I can query my sandbox using the OAuth 2.0 Playground tool on the developers site, which I can indeed do.
My questions then are: why am I getting this authentication error in Postman? Am I missing a step? Or has something changed in the Quickbooks Online API that has not yet been documented?
EDIT: I've managed to resolve my own issue after a decent amount of trial and error, and with a hint based on a response in the Quickbooks Online help area.
For those who may find this useful, my solution was to request a new access token (click "Get New Access Token" in Postman) and updated the "Scope" section to include "openid" such that the space delimited list read:
com.intuit.quickbooks.accounting openid profile email phone address
Using this new token with the updated scope allowed me to get the desired results.
I had the same problem but I resolved it differently. My issue was that in the requested token, the default to "Add token to" is URL, but it seems that the API requires the token to be in an Authorization header. Changing this to "Header" does just that.
For the "Customer-ReadById" endpoint, the only scope that should be necessary is com.intuit.quickbooks.accounting. My guess is you changed it to Header in your trial and error.

Shibboleth return username as HTTP Header instead of SAML attribute

Shibboleth IDP and SP are talking great and the data I need is in the SAML.
What configuration is required for allowing shibboleth to return an HTTP Header with the info I need(yes I know it's a bad idea but don't have a choice).
I'm running SP 2.6 on IIS and need an HTTP Header with the username in the shibboleth3 IDP response.
Here's what I've tried for attribute-map.xml
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
And it provides me with this data in the SAML
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">me#school.edu</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Due to the software I'm working with I need the username in the HTTP Header.
You can't have the Identity Provider release an HTTP header. That is not SAML Web Browser SSO profile.
You already have the middleware you are talking about, it's the Shibboleth Service Provider, and if your attribute-map.xml file is correct, you will be able to access the attributes from your application logic either as env variables or http headers as described here
An example for how an attribute is mapped to an HTTP header follows:
Let's say you
release the attribute with SAML name urn:oid:1.3.6.1.4.1.5923.1.1.1.6 from the IdP and that
in your SP attribute-map.xml you have an attribute decoder like:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Taking into consideration that
When using headers, the main difference is that instead of using the names defined via the mapping process, the application must prefix them with "HTTP_", and in most tools upcase the rest of the name as well.
The HTTP header will eventually be HTTP_NETID
As to how you can read the header values, as described in this thread,
To iterate through all that are passed:
foreach (string key in Request.ServerVariables.AllKeys)
To reference a specific value:
value = Request.ServerVariables[key];

OpenAM as IDP does not redirect back to SP

I got a problem with OpenAM. Need your help.
I installed OpenAM and simply configured it as an IDP - set name and circle of trust. Then I added a remote SP by uploading SP metadata, see below
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" mlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<EntityDescriptor entityID="http://192.168.0.6:8080/employee/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.0.6:8080/employee/" index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
SP and IDP are in the same Circle of Trust.
When I do SAML request for auth from SP to IDP, I get to login page of OpenAM with SAMLRequest=... as URL params. Decoded SAMLRequest is below
<samlp:AuthnRequest AssertionConsumerServiceURL="http://192.168.0.6:8080/employee/"
Destination="http://192.168.0.7:8181/openam/" ForceAuthn="false"
ID="ID_479ff8a2-8dc5-44b5-997f-0438a2d87417" IsPassive="false"
IssueInstant="2015-01-07T13:31:01.067Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer>http://192.168.0.6:8080/employee/</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
</samlp:AuthnRequest>
Then i do login and come to user profile page in OpenAM, instead of redirect to SP. Why it happens? What should I configure to enable redirect back to SP?
There are several things you could do:
Don’t use IP address when installing OpenAM, because cookies will not be saved on such addresses, so you can easily encounter weird problems like this.
If you have goto URL validation enabled (by default it'd disabled), then there were some old bugs around not handling redirect URLs correctly. Not sure which version you are using, so this may not really apply to you.
You should capture the network traffic with tools like LiveHTTPHeaders Firefox plugin or similar, so you can see how the HTTP requests go around. That should help you determine where exactly are things going wrong.

Yodlee Token authentication failed for cobrand/user Stale conversation credentials</errorDetail>

I sometime get this error while trying to add Accounts(v1.0/jsonsdk/SiteAccountManagement/addSiteAccount1) or get MFA Response(v1.0/jsonsdk/Refresh/getMFAResponseForSite)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Errors xmlns="http://namespace.yodlee.com/pfm/2009/Error">
<Error>
<errorDetail>Token authentication failed for cobrand/user Stale conversation credentials</errorDetail>
</Error>
</Errors>
can someone help me that issue.
Thank you.
Yodlee doesn't allow multiple user login and hence this exception comes when you have logged in the user again by calling the Login(/authenticate/login​) API and still using the old userSessionToken.
Please use the login (/authenticate/login​) call once and use the same userSessionToken for all the API calls for next 25-30 minutes.