function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
GlennCoppensGlennCoppens 

Named Credentials with MetadataWrapper after Sandbox refresh: "Session not found, missing session hash: ***hJPYB/***"

Hi,

I used this approach to make use of the Metadata API wrapper (developed by Andrew Fawcett) which supports making requests to the mdapi in a batchable context. 

Anyway, this works very well in our Production org, and it also did in our developer sandbox. Though, after refreshing the sandbox, the metadata (Auth Prov, Named Credential, Connected App) are being regenerated from what's defined in our Production org.

Unfortunately, this throws the following exception:
System.CalloutException: Web service callout failed: WebService returned a SOAP Fault: INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session. Session not found, missing session hash: ***hJPYB****

I think this exception should normally be handled by Salesforce as the response (from my debug statements) is a 401, which states "Unauthorized", by using the OAuth Scopes "full", "refresh_token" and "offline_access".

The only thing that comes to mind that might cause this is: why is the authenticated "Named Principal" still the username that I'm using in our production org? 


Any help or suggestions are very welcome,
Glenn
Pei Huang GSPei Huang GS
Hi Glenn,

Glad to hear you found the blog post useful. I've actually never tried the exact scenario you describe, but I suspect you will need to reconfigure the Named Credential in your sandbox org after each refresh. As you noted, if the Named Principal still reflects your production org's username then it likely is still attempting to use Production tokens to access the Sandbox instance (assuming the URL was updated automatically as part of the refresh and doesn't still point at Production). 

Simply edit the credential and tick the "Start authentication flow on save" box and see if that helps.


Pei

 
GlennCoppensGlennCoppens
Hi Pei,

Thanks for your answer.
Editing the credential results in the following error:
error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration

Which is probably due to the fact that the callback url in the Connected App is still pointing to the production instance. This should be set to match the callback url in the Auth Provider (which is correctly pointing to test.salesforce.com/***)
I don't think I can access the metadata in a PostRefresh class to update the Connected App and Named Credential.
Soooooo, for now, I think I will have to reconfigure the Named Credential setup every time and I can only hope that the new Apex Metadata API is going to support this quite soon ;)

The one question that remains and still bothers me, is why the authenticated username is my production username. I think this should/could/might never happen as this implies that sessions/tokens are not correctly "refreshed"? Or am I wrong?

Glenn
Pei Huang GSPei Huang GS
I haven't had a chance to test it out, but my hypothesis is the whole Named Credential (from the metadata perspective) gets cloned into the Sandbox unadulterated - thus URL still pointing at Production; Username still pointed at Production etc. I suspect the underlying row in the database table that stores the current access token and refresh token in production does not get copied down; or if it does, it is now out of date and out of sync with what it should be. You'll then end up in a wacky state with the configuration for callback URLs amongst other things. 

I suspect this is something you'll just need to manually re-create after each Sandbox refresh, or wait for the official Apex Metadata API to come out (though note per official statements by the product team, there are some metadata types they never plan to support). 

Couple of further questions:
1) What happens when you use the Named Credential to call one of the REST APIs like /limits immediately after refresh? Which org does it actually call (production or sandbox) and does it work or not?
2) Are you expecting that as part of the Sandbox refresh, the named credential, auth provider, etc. will be automatically pointed to refer to the newly created Sandbox instance?