function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
VishalAscVishalAsc 

Calling external service from apex - security review trouble

Hi,

I have created a managed package and I am calling an external service from that managed package.

1. The external serivce is hosted on a dedicated server

2. Anybody installing my app will be calling that service on that dedicated server. Salesforce orgs installing my package won't have to buy server where they host the external serivce, because it is provided by us. So, every sfdc instance uses same server.

3. During security review SFDC says that there is no authentication when calling service.

4. My scenario is that I don't need authentication. Whoever installs my app, should be able to call our service.

 

 

Even though, if I have to implement authentication on my service, how do I authenticate sfdc users? Do I need to first ask them to become user in a database which would be used by external service to authenticate users? Is this how famous applications (like conga, echosign etc) authenticate users?

 

Thanks,

Bakul

kiranmutturukiranmutturu

generally when ever u are trying to call the service u need to set that service in remote site settings.. to make that call as secured....may be this is missing 

VishalAscVishalAsc

Hi Kiran,

Yes, I have added that service in remote settings.

But the issue that SFDC raising is that, the web service that I am calling is not authenticating the callers (SFDC users). And as such I don't need to authenticate that.

 

Thanks,

Bakul

Starz26Starz26

I know echo sign requires the use of an API key to authenticate users of their service.

 

I believe the security review is raising an important issue.

 

1. What is the possibility that someone can figure out the call to your service and thus gain access to any information there. Possibly information stored as a result of SF users using your service?

 

Just guessing here but having a service set up where not authentication takes place leave all information there vulnerable. Possibly what SF in concerned about...maybe...

VishalAscVishalAsc

When can I issue api key to my app's sfdc users?

Is there a way to capture the installation event and then calling web service to receive api key?

 

Thanks,

bakul

VishalAscVishalAsc

Can any expert please chime in?