Pardot authentication after spring 2021

[renjithpaul27]

As per pardot documentation, "In the Spring '21 and later releases of the Pardot API, authentication with the API key / user key will not be supported".

How does pypardot4 is going to me impacted with this?

[skpadgett]

Unless addressed, this integration wrapper will stop working after February 15th 2021 'Spring Release. @mneedham91 any thoughts? Has anyone from Pardot reached out to assist or advise?

[skpadgett]

Salesforce documentation identifies several alternative OAuth workflow options for replacing the current Pardot UID/pwd based approach. In the likelihood that there will not be a 'one size fits all' solution, anticipate need for 'Authorization Option' parameter for this wrapper that supports various options as they are implemented, including backward compatibility to the current approach.

I am working with a client that is already using SSO Salesforce UID/Pwd for interactive access to Pardot and evaluating options for making the Pardot API (and this wrapper) work. The Pardot API authentication page includes an example using this workflow with a mild caveat on its use. The following from the above referenced Salesforce documentation page includes much stronger language concerning the risks of using this option:

 OAuth 2.0 Username-Password Flow for Special Scenarios
 You can use the username-password flow to authorize a client—via a connected app—that already has the user’s credentials. 
 However, we recommend avoiding this flow because it passes credentials back and forth. Use it only if…
  -  there is a high degree of trust between the resource owner and the client, 
  -  the client is a first-party app, 
  -  Salesforce is hosting the data, 
  -  and other grant types aren’t available. 

 In these cases, set user permissions to minimize access and protect stored credentials from unauthorized access.

That said, I "think" my client has other Salesforce API activity using this OAuth workflow, so may end up going with this approach. Intend to assign a "custom role" to UID used in the API with read-only access to address concerns raised above. (FYI - I did notice that the Java version of the Pardot API Wrapper went with this option. From quick glance, it looks like they've incorporated some UID/pwd masking functionality in the code.)

I intend to have our solution implemented in late Jan/early Feb timeframe.

fyi - @mneedham91

[skpadgett]

I've confirmed that my client is using the Salesforce UID/Pwd OAuth workflow for their other non-Pardot Salesforce API activity. However, they are encrypting and storing the pwd/uid in an Azure AD vault, using a departmental (vs enterpise std) approach that includes unrelated (to my efforts) tech stack components. Consequently, have just started looking at AWS Encryption SDK as a possibly generic option that others here may wish to leverage. It's available in a python library, free, and entirely client side - no requirement to use AWS. See AWS Encryption SDK for info. I'm going to continue to investigate, but will need to clear this approach with the client's security team after the holidays.

fyi - @mneedham91

[skpadgett]

By the way, I did have the client raise this topic with their Salesforce support contact. Their response was to reference this issue.

[daigotanaka]

In case people need something that works before the Feb 15, 2021 deadline, here is an example implementation: https://github.com/anelendata/PyPardot4/commit/bef7422f5dfbfc1ca30b73cc22bd9a89352d1ed8 By default, the token does not expire until revoked. So, the easiest would be to manually obtain token like the way scripted in setup_salesforce_auth_keys() method in this commit. The code in this commit also allows instantiating the class with token & business_unit_id.

~~By the way, the branch contains the support for v3 API (as addressed in #43 ) and Bulk Prospect Import API feature (*): https://github.com/anelendata/PyPardot4/tree/sfauth~~

Update: I forked and released PyPardotSF: https://github.com/anelendata/PyPardotSF

(*) Bulk Import API (v3): https://developer.pardot.com/kb/api-version-3/import/

[daigotanaka]

Just realized that I was confused about the refresh token policy. The refresh token doesn't expire by default but the token will expire if you do not use it for a while. So one way is to store refresh_token, consumer_key, and consumer_secret to obtain the token in the first call. (code: https://github.com/anelendata/PyPardot4/commit/81e72349dac12d04924b69b53b4a0320fce61b63#diff-74771ec4a270fac563e3db312b4383c44598a049af2871431a456501b85553ef)

[skpadgett]

Daigo, This is awesome!! Thank you for level of detail re. the connected app configuration.

[daigotanaka]

Btw, I'm deciding whether to permanently fork PyPardot4 to release a package (with some other name and after code & doc clean up) that handles both ver 3 & 4 API and Salesforce OAuth described above. It also supports Import API to batch upload the prospects (my main motivation for the fork). Currently available on this branch: https://github.com/anelendata/PyPardot4/tree/sfauth

Update: I forked and released PyPardotSF: https://github.com/anelendata/PyPardotSF

[skpadgett]

Daigo, I'm successfully getting the token & refresh token. Am I correct in thinking I need to manually execute the post method to get headers built before I can do anything else? If so, can you provide example? What I'm really asking for is updated "Using it is simple" example as in the readme for original. (Apologies - brand new to python, but appreciating opportunity to learn on your code).

[daigotanaka]

@skpadgett: Let's move this discussion to https://github.com/anelendata/PyPardotSF I'm not sure if the authors of Pypardot4 is active or willing to make further changes and I don't want to annoy the people on this repo. I updated the README, addressing your question on the new repo. Thx!

[gaoqiang-zhuo]

Hi @daigotanaka, I tried your package PyPardotSF. I can get the new access token with the refresh token, however the access token does not work. For example, when I ran p.prospects.read_by_email(email=a_test_email), I got this error: pypardot.errors.PardotAPIError: Error #184: access_token is invalid, unknown, or malformed. Would you mind verifying if the package works well for you now? Thanks.

[royt-via]

Hi, do you know if this issue would be resolved by Feb 15th or should we start looking for alternatives?

[daigotanaka]

Hi @gaoqiang-zhuo

It's been working fine for me. Did you follow the steps described on PardotSF README.md? Anyways, let's take this discussion to the forked repo. Please feel free to file an issue after you confirm the steps described in the README.

Hi @daigotanaka, I tried your package PyPardotSF. I can get the new access token with the refresh token, however the access token does not work. For example, when I ran p.prospects.read_by_email(email=a_test_email), I got this error: pypardot.errors.PardotAPIError: Error #184: access_token is invalid, unknown, or malformed. Would you mind verifying if the package works well for you now? Thanks.

[royt-via]

@mneedham91 is this repo still maintained?

[gaoqiang-zhuo]

Hi @daigotanaka I followed the steps in readme again, and it works now. Thank you so much!