Find your content:

Search form

You are here

Secure Communication from Managed Package Subscriber Org to LMO (License Management Org)


Unfortunately, my managed package needs the ability to enforce a limit that isn't a user license. Therefore, I need my managed package, installed in subscriber orgs, to ask my LMO (License Management Org) for permission to perform a specific action. This will undoubtedly involve the subscriber org making an HTTPS callout with its Org Id to my LMO.

My thinking is that I'd create a REST method in my LMO, along with an API Only user that had access to just this REST method and nothing else. The "credentials" for this API Only user would be stored in my managed package Apex code, and thus would not be accessible to subscribers of my package. I'd rather not store a user name/password/security token combo, so I'm thinking I'd use a refresh token.

I'm fairly certain OAuth, in general, is the answer here, but I'd like to nail down a specific implementation.

Attribution to: mjgallag

Possible Suggestion/Solution #1

IMO, this is a false distinction that I see very often. There's really no difference between a user/pass/token and an unrestricted oauth token. A credential is a credential and, if a piece of information allows you to establish your identity (authn) in some way, then it's a credential. In some cases, an oauth token can actually be a more powerful credential than user/pass since they could allow you to do things like bypass IP restrictions. There are certain scenarios where different credentials imply different authorization schemes but I don't think that applies here.

As far as general product architecture, I'd recommend packaging a protected custom setting with your application that serves to hold a credential to the org in which you'd like to manage these entitlements. It could be a oauth token, user/pass, random string, etc. You could use a post-install script to call out to your management org and perform a registration operation to obtain this credential and store it in your protected, managed custom setting.

If it were me, I'd use a random, customer-specific string as the credential and associate that string with an Account record where I store information on that customer. I'd then create a VF page and Apex controller published to a Site so I could accept unauthenticated requests. The controller would pull the customer key out of a HTTP header and look up the appropriate account record using that key.

If you used the shared oauth token or user/pass approach linked to a real user account, you'd essentially be creating a group account than can login to your management org but is shared by all of your customers (even though they shouldn't be able to access the credential in theory).

Attribution to: Brian Soby

Possible Suggestion/Solution #2

@mjgallag I don't think the install script would create another step for the customer. Post install scripts are run automatically and it should be transparent to the customer. I wouldn't recommend the salted hash with a secret salt since it's not an accepted cryptographic solution and it still comes down to the confidentiality of the code, which is consider a bad strategy in general for a number of reasons.

As far as weathering a denial of service against your Site request limits, I don't know the function or purpose of your application but I'd suggest failing open in the case of the management organization not being available. Highly available designs tend to be expensive and complicated. You could certainly have a list of entitlement verification endpoints (SFDC, EC2, Rackspace, etc) but it's probably not worth it.

Unless allowing users to temporarily perform unlicensed actions will make or break your company, I don't think it's worth the headache to design a highly available system here.

Attribution to: Brian Soby
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content