Can I use Named Credential merge fields as URL parameters on the endpoint?

I have a named credential as follows:

Name   Test_Credential
URL    https://www.somesite.com
Identity Type    Named Principal
Authentication Protocol    Password Authentication
Username   foobar
Password   mySomeSiteDeveloperKey
Generate Authorization Header   FALSE
Allow Merge Fields in HTTP Header    TRUE
Allow Merge Fields in HTTP Body     TRUE

The service that I am trying to authenticate against uses URL parameters to pass in the developer key and username. Is there any way to use Named Credential Merge Fields to pass those in to the URL?

The Named Credential attributes seem not to get decoded until the request is actually sent, as debugging the endpoint, or headers if I set them per the linked doc, show the un-merged data. I can get the callout to go to the right place, and return the expected error because the auth information is not provided. Anybody know of a “show me my HTTP request” site that I could point to to get a better idea of how this works?

I’ve tried both of these:

req.setEndpoint('callout:Test_Credential/api/action?id={!$Credential.Password}&account={!$Credential.UserName}');

req.setEndpoint('callout:Test_Credential/api/action' + '?id=' + '{!$Credential.Password}' + '&account=' + '{!$Credential.UserName}');

(Edited to remove the part about $Credential vs. $Test_Credential as I was able to determine that it is the former, and see the merged creds by calling out to this page.)

Answer

You can only use merge fields within setHeader and setBody, as the options specify. This may mean that you need to use POST with application/x-www-form-urlencoded, or arrange for a specific header to be understood by the server. Your server should NOT be accepting usernames and passwords in the query string, as this is a major security risk.

Attribution
Source : Link , Question Author : Thomas Taylor , Answer Author : sfdcfox

Leave a Comment