You need to sign in to do that
Don't have an account?
GlennCoppens
Named Credentials with MetadataWrapper after Sandbox refresh: "Session not found, missing session hash: ***hJPYB/***"
Hi,
I used this approach to make use of the Metadata API wrapper (developed by Andrew Fawcett) which supports making requests to the mdapi in a batchable context.
Anyway, this works very well in our Production org, and it also did in our developer sandbox. Though, after refreshing the sandbox, the metadata (Auth Prov, Named Credential, Connected App) are being regenerated from what's defined in our Production org.
Unfortunately, this throws the following exception:
I think this exception should normally be handled by Salesforce as the response (from my debug statements) is a 401, which states "Unauthorized", by using the OAuth Scopes "full", "refresh_token" and "offline_access".
The only thing that comes to mind that might cause this is: why is the authenticated "Named Principal" still the username that I'm using in our production org?
Any help or suggestions are very welcome,
Glenn
I used this approach to make use of the Metadata API wrapper (developed by Andrew Fawcett) which supports making requests to the mdapi in a batchable context.
Anyway, this works very well in our Production org, and it also did in our developer sandbox. Though, after refreshing the sandbox, the metadata (Auth Prov, Named Credential, Connected App) are being regenerated from what's defined in our Production org.
Unfortunately, this throws the following exception:
System.CalloutException: Web service callout failed: WebService returned a SOAP Fault: INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session. Session not found, missing session hash: ***hJPYB****
I think this exception should normally be handled by Salesforce as the response (from my debug statements) is a 401, which states "Unauthorized", by using the OAuth Scopes "full", "refresh_token" and "offline_access".
The only thing that comes to mind that might cause this is: why is the authenticated "Named Principal" still the username that I'm using in our production org?
Any help or suggestions are very welcome,
Glenn
Glad to hear you found the blog post useful. I've actually never tried the exact scenario you describe, but I suspect you will need to reconfigure the Named Credential in your sandbox org after each refresh. As you noted, if the Named Principal still reflects your production org's username then it likely is still attempting to use Production tokens to access the Sandbox instance (assuming the URL was updated automatically as part of the refresh and doesn't still point at Production).
Simply edit the credential and tick the "Start authentication flow on save" box and see if that helps.
Pei
Thanks for your answer.
Editing the credential results in the following error:
Which is probably due to the fact that the callback url in the Connected App is still pointing to the production instance. This should be set to match the callback url in the Auth Provider (which is correctly pointing to test.salesforce.com/***)
I don't think I can access the metadata in a PostRefresh class to update the Connected App and Named Credential.
Soooooo, for now, I think I will have to reconfigure the Named Credential setup every time and I can only hope that the new Apex Metadata API is going to support this quite soon ;)
The one question that remains and still bothers me, is why the authenticated username is my production username. I think this should/could/might never happen as this implies that sessions/tokens are not correctly "refreshed"? Or am I wrong?
Glenn
I suspect this is something you'll just need to manually re-create after each Sandbox refresh, or wait for the official Apex Metadata API to come out (though note per official statements by the product team, there are some metadata types they never plan to support).
Couple of further questions:
1) What happens when you use the Named Credential to call one of the REST APIs like /limits immediately after refresh? Which org does it actually call (production or sandbox) and does it work or not?
2) Are you expecting that as part of the Sandbox refresh, the named credential, auth provider, etc. will be automatically pointed to refer to the newly created Sandbox instance?