I have setup a site but when i am opening this site i am getting this
type error, Authorization Required
You must first log in or register before accessing this page. If you
have forgotten your password, click Forgot Password to reset it.
click and check image
You need to make sure that the visualforce page which you created has access to Guest user profile. To navigate to Guest user, do as below:
Go to Setup -> Develop -> Sites -> Click Site name -> Public Access Settings
The sites under Digital Experiences / All sites are called Experience Cloud sites.
The sites under Sites and Domains > Sites are called Salesforce sites.
These are different categories of sites and they come with different behaviors.
Based on the screenshot you shared with me, (the url has force.com included), it looks like your site is in the second category, please be aware of that:
Users from the Salesforce sites can only see their own data. If your program is trying to access data recreated by other, you will get the Authorization Required error.
As a way to test this, try to comment out the SOQL statements, the error message may go away.
also check out the following link:
https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_user.htm&type=5&release=228
The Secure guest user record access setting was enabled in Summer ’20, but could still be disabled during that release. To safeguard your Salesforce org’s data, in Winter ’21, this setting is enabled in all orgs with communities or sites and can't be disabled. The Secure guest user record access setting enforces private org-wide defaults for guest users and requires that you use guest user sharing rules to open up record access. You also can't add guest users to groups or queues or grant guest users record access through manual sharing or Apex managed sharing.
Related
I have a little bit of problem with the authentication on Sitecore website. Basically there is a button on the navbar, and when user clicks on the button, it redirects the same user to Salesforce to log in (Implementation of SSO). Basically I am using Salesforce as a identity provider and Sitecore Website as a service provider. Now I have a question? When user is logged, how can I get the ID of that user.
Do users in Sitecore User Manager have the same ID as the users in Salesforce, or I can just get a email to identify the user?
P.S: Sorry if this is a really stupid question, but I am a begineer when it comes to making Sitecore websites and the SAML SSO. Thank you in advance
Stop with the Sitecore and Salesforce for a second, you'll need to cover some basics and click through the login process manually before you automate it.
You probably are using a "connected app" in Salesforce that includes OAuth2 config (consumer key also known as client id; a secret; a list of scopes telling what this app is allowed to do on behalf of this SF user; a list of allowed urls that can login using this consumer key and secret. Etc.) It might even have something about Canvas Apps at bottom of the page.
Next would be - who's logging in. A core Salesforce user or do you have Partner Community, Customer Community (recently rebranded to "Digital Experiences").
Open incognito window and go to https://openidconnect.herokuapp.com/
For login host leave as is if you have production user or test.salesforce.com if you go from sandbox (you can also use branded urls, mycompany--dev.my.salesforce.com etc). If you have a community user you'll have to change the url to whatever is the community base url, like https://dev-mycompany.cs123.force.com/mycommunity
Don't change anything else, click next, next, next. This will take you through OAuth2 "web server flow" (one of many ways to log in). You type the username/password to SF screen and go back to that herokuapp with "authorisation code". The app has few minutes to swap that code for actual final "access token" and couple other pieces of info. Final step in this wizard calls OpenId "userinfo" - returning some info about the user that logged in. That's where you could pull the email if needed (and if there are extra fields you'd like SF to return in this process that's configurable too)
Close that browser window. Check the "connected app" in SF. Open new incognito window, do same thing but this time put your url, consumer key and secret (you might have to edit the app in SF first to allow callbacks to https://openidconnect.herokuapp.com/callback).
So now you should have rough idea about whole login process. Your sitecore app probably does same thing, receives authorisation code and exchanges it for final token. At that point you have valid SF session ID you could use to call that "userinfo", run queries (if the app allowes API access, check the "scopes") etc.
I doubt the Sitecore developer created it all by hand, you probably have some Spring stuff like spring.security.oauth2.client... My Java days are long gone but if you get better at manual click-click-click through the flow you should be able to follow existing code?
It's a big topic and there are other ways to do it (other OAuth flows, sending info about the current user when you have external page embedded in SF as iframe, you'd need to read about "canvas apps")... but that's best guess based on info you provided. You might want to check some trailhead courses too like https://trailhead.salesforce.com/content/learn/projects/build-a-connected-app-for-api-integration/implement-the-oauth-20-web-server-authentication-flow
https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_oauth_and_connected_apps.htm
https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm (Java but very hand-crafted raw HTTP, probably that Spring security is better)
I am trying to access the multiple communities in multiple salesforce sites with same connected-app but could not.
For example: I have created the two salesforce sites A and B. And created connected-app in A. To access rest API of A, i could authenticate with connected-app in A, But how to connect with B with using the same client_secret and client_id by differs in user_name and password?
Or is there any way to connect with REST API with username and password as creds?
Example: There is community_A1, community_A2 in Site A and community_B1 , community_B2 in Site B.
I need to access communities in both the Sites
This should work out of the box, what errors you're getting?
You can have 1 set of consumer key and secret and (if admin in target org didn't block it) you could use this to login to any SF in the world, sandbox or production, core SF or community.
Imagine being a developer of mobile app that pulls data from salesforce. You'd want to have just 1 pair of keys, not install separate key for every org people might install your app...
All org-specific stuff you need is username, password and login url. For community the login url will look like https://sandboxName-MyDomain.cs123.force.com/communityName
Once you have that, you can inspect all the OAuth2 stuff at https://sandboxName-MyDomain.cs123.force.com/communityName/.well-known/openid-configuration
Have you played with https://openidconnect.herokuapp.com/ ?
Paste your community url, for now keep the client and secret as is, click next. Login to community and keep clicking next. It should work fine and at the end - give you access_token / session id.
Now close this browser completely / open new incognito window and do it again. This time give your login url but also client and secret. Next, Next... Check the user's login history, it should mention your connected app now.
Now close this and do it last time, with the other community's login url and another user's credentials but still with your client and secret.
is there any way to connect with REST API with username and password
as creds?
Not for community. Internal users can get access in one go with https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_username_password_flow.htm&type=5 but community/experience users need this interactive login, there has to be a human consent / password typing step. And anyway it's not very secure flow. "Experience Cloud sites don’t support the OAuth 2.0 username-password flow."
In a pinch you could try the SOAP API's login method but from what I remember you may need to pass the community's Id in the message then
Connected-app is global metadata in salesforce. Once we create a connected-app in one org, then can access any salesforce site with the same client_id,client_secret, unless the admin has blocked the access.
I needed to add the custom profile into the community members to allow the access to the community via API (Community workspace -> administration -> members -> profiles.)
I'm building a static website in Azure and want to use this function:
https://learn.microsoft.com/de-de/azure/static-web-apps/authentication-authorization
When I try to invite a user, it explains that an administrator as to accept this invitation, but where does he have to do this? I cannot see an option for this in portal.azure.com
it also seems not to be possible to "preload" the roleassignments to the users. because on the "acccessmanagement" site for this website in portal.azure.com it grants the access to the complete resource in portal.azure.com, but I just want the user to use the website.
Any ideas?
Thanks,
kind regards
If you are following the invitation instructions in that document, you need to copy the link from the "Invite" link box and actually send it to the person.
Navigate to a Static Web Apps resource in the Azure portal.
Under Settings, click on Role Management.
Click on the Invite button.
Select an Authorization provider from the list of options.
Add either the username or email address of the recipient in the Invitee details box. For GitHub and Twitter, you enter the username. For all others, enter the recipient's email address.
Select the domain of your static site from the Domain drop-down.
The domain you select is the domain that appears in the invitation. If you have a custom domain associated with your site, you probably want to choose the custom domain.
Add a comma-separated list of role names in the Role box.
Enter the maximum number of hours you want the invitation to remain valid.
The maximum possible limit is 168 hours, which is 7 days.
Click the Generate button.
Copy the link from the Invite link box.
Email the invitation link to the person you're granting access to your app.
I have a website named satellite.com built by AngularJS+NodeJS+MongoDB, it has an authentication system by ID & password, or third-parties like Google, GitHub. It already has many user accounts.
Now, I want to build a new website named umbrella.com, its authentication system and its database by ReactJS+NodeJS+MongoDB. Umbrella.com will include the functionalities of satellite.com (which will ideally share code with satellite.com) and some other functionalities. In the future, I want both satellite.com and umbrella.com to exist and work (though satellite.com may systematically redirect to umbrella.com/satellite/).
I wonder how umbrella.com can use the existing user accounts of satellite.com. Ideally, I hope
existing users of satellite.com could sign in umbrella.com with their old credentials, and have access to their data of satellite.com
new users could sign up on satellite.com, which will be valid to umbrella.com too
new users could sign up on umbrella.com, which will be valid to satellite.com too
I have total control of the two websites. Does anyone have a clear suggestion on how to structure and share the authentication system and the database of these 2 websites?
Edit 1: one issue is that when I set up Google Authentication for satellite.com, I remember that the domain name (i.e., satellite.com) was required. So now, can we use these authentications for another domain name (i.e., umbrella.com)?
If you are not using third party authentication like Google Auth or something where you have to specifically register your domain you can achieve that by following steps:
You can keep one database structure for both website with different
front-end. For that you user can login to both websites using same
credentials.
You can also go with one backend (Node server) for both the websites
as its seems like both are same and having same functionality.
Front-end can be different.
I am exposing a page with a standardcontroller="account" to a force.com site facing the public. This page displays account specific data to the clients. Now when a customer logs in to my website I want him to have access to his account's data and only his account data. Here is the problem; the url for a page with a standardcontroller has a Id field, such as "https//www.myforcesite.force.com/AccountViewPage?Id=a82347dod". If a user changes a few keys on the Id, it is very easy for him to access other people's account page and bypass the login process. How can I prevent that.
I opened a ticket with salesforce but they told me its working as intended. I don't think a vulnerability to a trivial brute force attack should be intended so I want to know if there are any fixes?
Create one StandardController extension and check if the logged user in your website has the permission to view that account.
http://www.salesforce.com/us/developer/docs/pages/Content/apex_pages_standardcontroller.htm
What you are looking for is URL rewriting for force.com site.
For example, let's say that you have a blog site. Without URL rewriting, a blog entry's URL might look like this: http://myblog.force.com/posts?id=003D000000Q0PcN
With URL rewriting, your users can access blog posts by date and
title, say, instead of by record ID. The URL for one of your New
Year's Eve posts might be:
http://myblog.force.com/posts/2009/12/31/auld-lang-syne