# Authentication troubleshooting Troubleshooting information for issues Tray customers may encounter when authenticating with key services such as Salesforce, Slack, MS Teams and Marketo ## Why is my auth not available with a different connector version? ### Problem You have an Authentication that is working fine for your existing workflows, however, when you try to use the same Authentication in a new workflow, the Authentication can no longer be found in the connector’s dropdown. As it turns out, the issue is the connector version: ![no-old-auth-new-version](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/7jYL21xIy8lNrShAaK4mwU_no-old-auth-new-version.png) ### Cause The Authentication is dependent on the connector’s version. An Authentication originally created using one version of a connector may not be compatible with all other versions. This could be due to the new version adding or changing required authentication parameters, for example.  ### Solution Create a new Authentication specifically for the connector version you are using. To ensure it will be compatible, \*only \*create it using the “**New Authentication**” link in the Authenticate section of your connector: ![create-new-auth](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/4CcR72d3idNSd14WeQhSNt_create-new-auth.png) You could also create the new authentication from within your Tray Dashboard by going to \*Authentications \*on the left-hand menu. However, this only allows you to create a new authentication for the latest version of a particular connector. It may not work for a different version. ## Marketo: 603 access denied ### Problem Receiving a successful response from the Marketo API however, the response body returns a 603 error code with **Access Denied.** ![marketo-auth-error-output](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/7iqiSwALRCFOq4bw52kkk_marketo-auth-error-output.png) ### Cause The above 603 error is returned from Marketo when the authentication has been successful but the user doesn’t have sufficient permission to call this API.  ### Solution This can be resolved by logging into Marketo and following the steps below. 1. Go to Admin > Users and Roles 2. Select API User and identify what role it is assigned to (e.g. API role) 3. Go to Roles and check the permissions assigned to the API role 4. Check to see if the API role does not have 'Read-Only Activity' or 'Read-Write Activity' permission Further information can be found in Marketo's public documentation [here](https://nation.marketo.com/t5/knowledgebase/rest-api-call-is-returning-603-error/ta-p/249694#:~:text=Error%20603%20refers%20to%20'access,assigned%20to%20the%20user%20role.).  ## Salesforce: "This authentication can no longer be used \[...]" ### Intro You may have several workflows which use different Authentications for Salesforce. After creating a new Salesforce Auth, some of your existing workflows start failing, and the [output logs](https://tray.ai/documentation/platform/enterprise-core/logs-debugging/debug-logs) show the error: "This authentication can no longer be used because more than 5 Salesforce authentications were created. Please use a different one."  There is a limit of 5 connections for one set of OAuth credentials for Salesforce. However, this is not a limit imposed by Tray. The 5 authentication limit is imposed by Salesforce. You can create as many Salesforce authentications in your Tray account as you would like.  The Salesforce documentation says: *"Each connected app allows five unique approvals per user. After a fifth approval is made, the oldest approval is revoked."*  (See this link for more information about how to [Manage OAuth-Enabled Connected Apps Access to Your Data](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_request_manage.htm\&type=5) as described by Salesforce). Depending on the nature of your Salesforce account, if you exceed the limit of your allowance, some of your authentications that may be saved in Tray may become deprecated on the Salesforce end. This is a common issue our customers face. ### Common example scenario Say you have 5 SFDC credentials, each linked to an auth created in Tray: * Salesforce auth 1 * Salesforce auth 2 * Salesforce auth 3 * Salesforce auth 4 * Salesforce auth 5 All of these will work. If your team mate X decides to create a test workflow and creates a new authentication in Tray 'Salesforce auth 6', this creates a new authentication on the Salesforce end. Since Salesforce imposes a limit, they will invalidate the oldest credentials ('Salesforce 1'). Any workflows that were using 'Salesforce auth 1' will fail to connect to Salesforce. So **Tray facilitates the creation of authentications and surfaces Salesforce's error messages; however, we do not impose the limit on our end.** ### Note for Embedded customers If you have set a [static Salesforce auth](#) which all your End Users will be using when activating their integration, this will not cause any problems. However if each of your End Users is authenticating with their own SFDC account, they will be subject to the same 5 auth limitations as explained above Any time a user exceeds the 5 auth allowance on their own Salesforce account, they will need to log in to Salesforce and manage their authentications there.  You can typically do this via the SFDC menu: Platform Tools -> Apps -> Connected Apps OAuth Usage -> click on "User Count" for Tray.io. Please contact Salesforce if you need further assistance on this.  ## Slack: 'missing\_scope' error ### Problem Some APIs require special scopes, or permissions, to access certain operations. Slack's services are heavily scoped and your Slack authentication must contain the scopes that are required for your use case. If you are missing a scope, the Slack connector will show 'missing\_scope' in the drop-down menu of the input panel: ![slack-missing-scope](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/1hlfciP2ZiHIwPlNuo8Tih_slack-missing-scope.png) ### Solution To resolve a 'missing scope' error when using the Slack connector, verify that you included all of the required scopes when setting up the Slack authentication. To learn more about Slack's scopes and permissions, click [here](https://api.slack.com/scopes). A number of scopes are pre-selected for you as defaults; however, not all of the many scopes are pre-selected: ![slack-scopes](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/1pu9DHZfnMR1NC06UBwq1C_slack-scopes.png) ## Verifying MS Teams Webhook Authentication HMAC ### Intro Learn how to verify the HMAC token provided in the MS Teams webhook authorization header to confirm the webhook is genuine. ### Example webhook The following is a truncated example webhook from MS Teams: ```json { "method": "post", "path": "/", "body": { "type": "message", "channelId": "msteams", "from": \{ "id": "************************************************", "name": "Tray_DEMO", "aadObjectId": "47a1xxx-xxx-xxx-xxx0cd047a" \}, "action": null, "replyToId": null }, "query": \{\}, "headers": \{ "accept": "application/json", "authorization": "HMAC wxS/p6LXGbJqVVbkP8w4e7PmbDF56Z7nOur+OeUcZtY=", "content-length": "1637", "content-type": "application/json; charset=utf-8", "host": "c5f58xxx-xxx-xxx-xxxb452d3.trayapp.io", "referer": "https://teams.microsoft.com/" \} } ``` ### 1 - stringify the webhook body Add the **Object helper** connector after the webhook trigger and set the operation to 'JSON stringify'. Use the connector snake to link the Source field to the webhook body\_message: ![stringify-body](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/6pbPLPEdj7RILBH5Hz0M9o_stringify-body.png) ### 2 - create a buffer of the secret After setting up the outgoing webhook, MS Teams will provide you with a security token/secret token similar to the below: ![security-token](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/2puvlEzRd9aRZObBOBSUZ9_security-token.png) Add a JavaScript connector to your workflow after the stringify step and paste the below script. Replace the 'YOUR\_SECRET' value with the secret provided by MS Teams  `exports.step = function(\{foo\}, fileInput) \{ const secret = 'YOUR_SECRET'; const bufSecret = Buffer.from(secret, "base64"); return bufSecret; \};` ### 3 - generate the HMAC token Add the Crypto Helper connector after the previous JavaScript connector step and set the operation to 'HMAC' * Set the Hash value to SHA256 * Pass the stringified webhook body into the Value field * Set the Digest encoding to Base64 * Pass in the output of the JavaScript connector to the Secret field ![HMAC](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/6uGUv5WRsGOE2nxHFlG9v7_HMAC.png) ### 4 - prepend 'HMAC ' to the previously generated token Add the **Text Helper** connector after the previous Crypto Helper connector with the operation set to 'Concatenate'. * Enter 'HMAC' in the first value field and use the connector snake to link the output of the Crypto helper step to the second value field.  * Enter a single space in the Separator field ![text-helper-concat-hmac](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/1MFXO6421gCcqZCOKMGUqo_text-helper-concat-hmac.png) ### 5 - compare the generated HMAC token to the token provided in the webhook header * Add a Boolean Condition step after the previous Text Helper step. * Link the first value to the Authorization header provided in the MS Teams webhook. * Set the comparison step to 'Equal to'. * Link the second value to the output of the previous Text Helper step. * If the HMAC values do not match, the workflow should be terminated. If they do match, continue with the workflow. ![boolean](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/4DNb0VhhCjRvsvnmZ6Eubl_boolean.png) ![HMAC output](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/3k96SujIm2NPftpLtsHmVb_HMAC_output.png) ## Creating custom oAuth App for Zoom Authentication ### Intro Create an oAuth app via the [Zoom App Marketplace ](https://marketplace.zoom.us/)in order to be able to use this as a new \*Service type \*for the [Zoom connector’s Authentication](https://tray.ai/documentation/connectors/service/zoom/#authentication).  **Why might you do this for your Tray WF?:** By default, the following Service types are currently available for a new Zoom Auth: ![zoom-auth-options](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/3jnzuV0I7xQmsCvTzw1YKD_zoom-auth-options.png) \*Note, the first “Production” entry above is a duplicate and will eventually be removed. You may pick the second entry. The correct entry will ask you for the required scopes. \* The “Production” service type is suitable for most Authentications. However, some users have special account types, such as Enterprise, or have other special *permission* restrictions. With these accounts, the Auth authorization step may fail, even if you choose minimal scopes. In these cases, it may be most suitable to use a custom oAuth app, as you will have precise control over the required permissions. ### 1 - create the Zoom app The oAuth app can be created on Zoom’s end by closely following their [docs.](https://marketplace.zoom.us/docs/guides/build/oauth-app/) Once you go to their [Marketplace](https://support.tray.io/knowledge/articles/4565311093911/Zoom%20App%20Marketplace), you can then navigate to Develop -> Build App -> OAuth. Whether you choose an Account-level or User-managed app depends on your use case.  ![create-custom-oauth-user-or-admin](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/4xxj2cLn5DWLkN5YA7zhxl_create-custom-oauth-user-or-admin.png) ### 2 - add redirect URL When configuring the app, the thing to note is that ​**** ​should be used for both the "*Redirect URL for Oauth*" and "*Add Allow Lists*". If the URL is not added to the allow list, you will obtain a redirect error. ![redirect-url](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/3tTskDdN0YK5I9hPxY7kb1_redirect-url.png) ### 3 - activate and install Once you configure your app successfully and include all your required \*\*scopes \*\*(ensure you have access to all the scopes), you can go to "Activation" and you will be able to click "Install" to verify the Authorization page appears correctly, but do *not* authorize here yet. Then your app is all set up. ### 4 - create auth in Tray Now you can go back to your Tray WF, and in the Zoom connector’s Authentication panel, create a \*\*New Authentication. \*\* Afterward, just enter your **Client ID** and **secret** from the Zoom config (see 3rd screenshot), choose the scopes you want for this Auth, then "Create Authentication". ## Resolving Third-Party App Blockage ### Problem Encountering issues while authenticating with your service, especially while integrating a third-party app like Tray.io, may result from your service blocking the application. For example, when integrating a third-party app like Tray.io, Salesforce may block the application. ![auth-unblock-an-app-in-salesforce](https://tray.ai/documentation/images/help/troubleshooting/authentication-troubleshooting/1fNAhl8AKp58C8M9QCg6X5_auth-unblock-an-app-in-salesforce.png) ### Cause Specific organizational security policies can automatically block third-party apps administrators have not pre-authorized. This is a standard precaution to prevent unauthorized access. ### Solution Just ask your admin to unblock you. Exactly how this is done will depend on the 3rd party admin UI (see Salesforce example screenshot above)