search

forcedotcom / cli

Salesforce CLI
https://developer.salesforce.com/docs/atlas.en-us.sfdx_cli_reference.meta/sfdx_cli_reference/
BSD 3-Clause "New" or "Revised" License
492 stars 78 forks source link

OAuth 2.0 Refresh token flow for renewed sessions #1927

Closed Kevmo92 closed 1 year ago

Kevmo92 commented 1 year ago

Summary

Using the new sfdx auth url format I'm unsure what my client_secret is 🤔

The new auth url looks like force://<client_id>::<refresh_token>@<instance_url> where client_id is always PlatformCLI The old auth url looked like force://<client_id>:<client_secret>:<refresh_token>@<instance_url> where client_id was always SalesforceDevelopmentExperience

I'd like to be able to parse the auth url and be able to send a post request to https://login.salesforce.com/services/oauth2/token for a new access_token, but I'm unsure what the client_secret is now...

https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_refresh_token_flow.htm&type=5 <- guide for making post request

Steps To Reproduce:

  1. Authenticate with a developer edition salesforce org, sfdx auth:web:login, and run sfdx force:org:display -u username --verbose to get the auth_url
  2. auth_url doesn't contain client_secret

Expected result

Auth url contains client_secret or the client_secret is made available use when requesting an access token.

Actual result

Auth url no longer contains client_secret.

System Information

github-actions[bot] commented 1 year ago

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

mshanemc commented 1 year ago

If there's not a client secret in the AuthUrl, it means that there's not one required by the ConnectedApp.

the ConnectedApp owner gets to decide if a secret is required, and our default ConnectedApp doesn't require one (it wouldn't be very secret if you were all using it and could look at it anytime 😄 )

If you create your own ConnectedApp (which you should, for more security and control, or to enable jwt) you'll be able to see the secret in Salesforce Setup.

Kevmo92 commented 1 year ago

@mshanemc Thanks for the reply! So how should I use the auth refresh token flow with an auth url that doesn't have client secret setup? https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_refresh_token_flow.htm&type=5

Kevmo92 commented 1 year ago

Oh, I see. Just omit the client_secret 😁 

import os
import requests
from urllib.parse import urlparse
auth_url = os.environ.get("DEV_HUB_AUTH_URL")
url = urlparse(auth_url)
client_id = url.username
password = url.password.split(":")
refresh_token = password[1]
data = {
    "grant_type": "refresh_token",
    "client_id": client_id,
    "refresh_token": refresh_token,
}
response = requests.post("https://login.salesforce.com/services/oauth2/token", data=data).json()
mshanemc commented 1 year ago

Yes!

Again, you should create your own ConnectedApp so you can have your own secret and manage the other stuff (refreshToken life policies, esp).