I have my Salesforce organization configured to use SSO through Azure Active Directory. Now I'm trying to use Azure AD and the 'On Behalf of Flow' to authenticate to the Salesforce REST API.
For the Setup of API A in the diagram I have added the user_impersonation permission for Salesforce and have granted Admin Consent for it.
I'm able to successfully authenticate to API A and complete the token exchange, and receive a token for salesforce. However, when calling salesforce using the token I get back from Azure AD, I receive a 401 unauthorized. salesforce admin certification has been developed for Beginners, Intermediate, and advanced Salesforce users to enhance your knowledge and understanding of the Salesforce CRM platform.
This is the code I'm using on Web API A to exchange for the Salesforce Access Token
//Get the original JWT From the header
var authZhdr = Request.Headers.FirstOrDefault(h => h.Key.Equals("Authorization"));
var token = authZhdr.Value.FirstOrDefault().Substring(7);
//Exchange original JWT for Salesforce Token
IConfidentialClientApplication clnt = ConfidentialClientApplicationBuilder
.Create(_config.GetValue<string>("AzureAd:ClientId"))
.WithClientSecret(_config.GetValue<string>("AzureAd:ClientSecret"))
.WithAuthority(AadAuthorityAudience.AzureAdMyOrg)
.WithTenantId(_config.GetValue<string>("AzureAd:TenantId"))
.Build();
UserAssertion ua = new UserAssertion(token);
var res = clnt.AcquireTokenOnBehalfOf(new string[] { "https://<my-org>-dev-ed.my.salesforce.com/user_impersonation" }, ua).ExecuteAsync().Result;
var access_token = res.AccessToken
var http = new HttpClient();
http.BaseAddress = new Uri("https://<my-org>-dev-ed.my.salesforce.com/services/data/v50.0/");
http.DefaultRequestHeaders.Authorization = new AuthorizationRequestHeader("Bearer", access_token);
var resp = await http.GetAsync("/sobjects/Account");
Console.Log(resp.StatusCode) //401 Unauthorized
For the Setup of API A in the diagram I have added the user_impersonation permission for Salesforce and have granted Admin Consent for it.
I'm able to successfully authenticate to API A and complete the token exchange, and receive a token for salesforce. However, when calling salesforce using the token I get back from Azure AD, I receive a 401 unauthorized. salesforce admin certification has been developed for Beginners, Intermediate, and advanced Salesforce users to enhance your knowledge and understanding of the Salesforce CRM platform.
This is the code I'm using on Web API A to exchange for the Salesforce Access Token
//Get the original JWT From the header
var authZhdr = Request.Headers.FirstOrDefault(h => h.Key.Equals("Authorization"));
var token = authZhdr.Value.FirstOrDefault().Substring(7);
//Exchange original JWT for Salesforce Token
IConfidentialClientApplication clnt = ConfidentialClientApplicationBuilder
.Create(_config.GetValue<string>("AzureAd:ClientId"))
.WithClientSecret(_config.GetValue<string>("AzureAd:ClientSecret"))
.WithAuthority(AadAuthorityAudience.AzureAdMyOrg)
.WithTenantId(_config.GetValue<string>("AzureAd:TenantId"))
.Build();
UserAssertion ua = new UserAssertion(token);
var res = clnt.AcquireTokenOnBehalfOf(new string[] { "https://<my-org>-dev-ed.my.salesforce.com/user_impersonation" }, ua).ExecuteAsync().Result;
var access_token = res.AccessToken
var http = new HttpClient();
http.BaseAddress = new Uri("https://<my-org>-dev-ed.my.salesforce.com/services/data/v50.0/");
http.DefaultRequestHeaders.Authorization = new AuthorizationRequestHeader("Bearer", access_token);
var resp = await http.GetAsync("/sobjects/Account");
Console.Log(resp.StatusCode) //401 Unauthorized