App Transport Security Issue on Login - Githubissues

superfell / SoqlX

SoqlXplorer is an awesome tool for developers using the Salesforce.com platform.

https://pocketsoap.com/osx/soqlx/

Other

273 stars 53 forks source link

App Transport Security Issue on Login #95

Closed atdfairfax closed 3 years ago

atdfairfax commented 3 years ago

I'm getting the following error when I log in:

The resource could not be loaded because the App Transport Security Policy

The server URL that I have uses the following scheme:

https://<organisation>.lightning.force.com/

Using version 3.3 on OSX Big Sur (11.0.1)

Update:

I have found some more information via the console:

Got error sending API request <NSMutableURLRequest: 0x600003daaab0> { URL: https://<org>.lightning.force.com/services/Soap/u/47.0 } : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x600003161f50 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://<org>.lightning.force.com/services/Soap/u/47.0, NSErrorFailingURLKey=http://<org>.lightning.force.com/services/Soap/u/47.0, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}

But, the URL that I supplied uses https. Any idea why this is being re-written?

superfell commented 3 years ago

Can you say what the real URL is so i can test with it, I've not been able to repro this (but I'm not on BS yet). If you don't want to post it publicly, then you can email it to me fellforce at gmail.com

superfell commented 3 years ago

The only URL rewriting done by SoqlX is to deal with the retirement of www.salesforce.com as the login API endpoint. There's nothing that would rewrite https to http.

superfell commented 3 years ago

ping @atdfairfax

superfell commented 3 years ago

I was able to find an org with a lightning endpoint and can repro the problem.

superfell commented 3 years ago

login requests to org.lightning.salesforce.com get redirected to http by the server, which then causes the App Transport failure on the client side. e.g.

curl -X POST https://superfell-dev-ed.lightning.force.com/services/Soap/u/47.0 -H "Content-type:text/xml" -v --data-binary "<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/' xmlns='urn:partner.soap.sforce.com'><s:Body><login/></s:Body></s:Envelope>"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 13.110.69.95...
* TCP_NODELAY set
* Connected to superfell-dev-ed.lightning.force.com (13.110.69.95) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=salesforce.com, inc.; CN=*.na138.force.com
*  start date: Mar 23 00:00:00 2020 GMT
*  expire date: Mar 24 12:00:00 2021 GMT
*  subjectAltName: host "superfell-dev-ed.lightning.force.com" matched cert's "*.lightning.force.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> POST /services/Soap/u/47.0 HTTP/1.1
> Host: superfell-dev-ed.lightning.force.com
> User-Agent: curl/7.64.1
> Accept: */*
> Content-type:text/xml
> Content-Length: 138
> 
* upload completely sent off: 138 out of 138 bytes
< HTTP/1.1 302 Found
< Date: Sat, 21 Nov 2020 22:02:51 GMT
< X-B3-TraceId: 4caf60167be0ad25
< X-B3-SpanId: 4caf60167be0ad25
< X-B3-Sampled: 0
< Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
< Set-Cookie: BrowserId=TO5AaCxFEeujI0N44WaoZQ; domain=.force.com; path=/; expires=Sun, 21-Nov-2021 22:02:51 GMT; Max-Age=31536000
< Location: http://superfell-dev-ed.lightning.force.com/services/Soap/u/47.0
< Content-Length: 0
< 
* Connection #0 to host superfell-dev-ed.lightning.force.com left intact
* Closing connection 0

Note the 'Location: http://superfell-dev-ed.lightning.force.com/services/Soap/u/47.0' near the end. I've not been keeping up with lightning, should login request be going there, or should they be going to .my.salesforce.com (which does appear to work)

superfell commented 3 years ago

Based on https://developer.salesforce.com/docs/atlas.en-us.identityImplGuide.meta/identityImplGuide/faq_domain_name_what.htm it seems like login requests should be going to <org>.my.salesforce.com not the lightning URL.

superfell commented 3 years ago

@atdfairfax did you try the org.my.salesforce.com suggestion? did that work? What lead you to think to use the lightning URL?

atdfairfax commented 3 years ago

@superfell yes, I did - you were correct; many apologies. org.my.salesforce.com works perfectly. Thank you and can't wait to start using it.