2
  • I have a managed 2GP that I want to publish on AppExchange
  • This package uses triggers to make external service callouts (ex. https://example.com/api/v1/sfdata)
  • I want the callouts to be authenticated with external service using OAuth JWT Bearer token flow
  • This requires a signing certificate
  • Certificates can't be packaged, namedcredentials can be packaged

I have read a few answers here on SF Stackexchange that connected app can help with this, and that connected app need not be packaged

  1. I create a connected app in my PBO
  2. Upload certificate to connectedapp
  1. How do I access the certificate from the connectedapp to be used with externalCredential in installed package in subscriber org?
  2. The only thing that can actually link a managed package with certificate and connected app is the namespace, so what changes do I need to make to apex or metadata to access the certificate

What is the standard way to do something like this, if the above approach is incorrect?

Improve this question
6
  • 2
    I suspect you have your wires crossed here and that a Connected App won't help you in the way you want to go. You need to have a post-install admin page where the admin creates or uploads a certificate, and the page then uses the Connect API to explicitly create the external credentials to be used by the named credentials that expose the end point you want. I would be very interested to see where you get to. Commented Aug 5, 2024 at 11:05
  • @PhilW I'm able to package the credentials, I think I can also update the external credentials using ConnectAPI, but what I don't want to be doing is make the org admin create the certificate, is there no way for me to access the certificate in the connectedApp? Commented Aug 5, 2024 at 11:12
  • 1
    I recommend you try raising this question over on the Partner Zone - you need a partner account to access this - since I know there are partners who have solutions for using the new named credentials in managed packages. We gave up - we couldn't figure a way to do this, so we did all the OAuth stuff for ourselves. Named credentials, IMHO, are not package friendly. I'm sure the Salesforce PM for them would disagree, but we could not see how to use them successfully. Commented Aug 5, 2024 at 12:44
  • 1
    @PhilW NCredentials are creating quite a headache for managed 2gp, would you know if remote site settings is security review friendly? Commented Aug 7, 2024 at 4:32
  • 1
    Yes, remote site settings can be included in a 1GP or 2GP managed package without issues during security review. The question comes around how and where you store any necessary "credentials" or "tokens". This can be achieved successfully using protected settings or protected custom metadata type records. Commented Aug 7, 2024 at 9:52

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.