I'm trying to connect to the Salesforce SOAP API using JSForce
const connection = new jsforce.Connection({
loginUrl: "https://customdomain.my.salesforce.com",
});
await connection.login(username, password);
When I run this I get the following error
Error: INVALID_LOGIN: Invalid username, password, security token; or user locked out.
at /Users/juancaicedo/code/calm/salesforce-poc/node_modules/jsforce/lib/connection.js:1552:13
at tryCallOne (/Users/juancaicedo/code/calm/salesforce-poc/node_modules/promise/lib/core.js:37:12)
at /Users/juancaicedo/code/calm/salesforce-poc/node_modules/promise/lib/core.js:123:15
at flush (/Users/juancaicedo/code/calm/salesforce-poc/node_modules/asap/raw.js:50:29)
at processTicksAndRejections (internal/process/task_queues.js:75:11)
(Use `node --trace-warnings ...` to show where the warning was created)
Is this an okay way to authenticate, or should I do something else? I've seen mention of a security token elsewhere, is that preferred?
Notes
I'm able to log on to the Salesforce UI successfully using these credentials ✅
I would be open to using another Node.js library, but do need to use the SOAP API (using the REST API would not be sufficient).
Some Salesforce orgs require the security token to be passed as well. You might find your token and try passing that in your API call.
https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_concepts_security.htm
If you are using jsforce within salesforce, in that case, you can get a connection object directly by using the following snippet:
var conn = new jsforce.Connection({ accessToken: '{!$Api.Session_Id}' });
If you want to connect from the external system you can go with either of the ways:
Using Access Token and instance URL
Using username and password
specifying keys according to your respective library.
Note: If you are following username and password flow, in that case, you have to append a security token at the end of the password in order to achieve a successful authentication. You can get that security token by going to your user salesforce settings.
For node JS you can refer this package:
https://www.npmjs.com/package/node-salesforce
Related
I'm trying to get a token for the current logged in user, using MSAL.NET
I'm getting a reference to PublicClientApplication, using the following API:
_clientApp = PublicClientApplicationBuilder.Create(ClientId)
.WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
.WithBroker()
.WithDefaultRedirectUri()
.Build();
Then, later in the code, I'm trying to call AcquireTokenSilent with the following code:
var firstAccount = Microsoft.Identity.Client.PublicClientApplication.OperatingSystemAccount;
authResult = await _clientApp.AcquireTokenSilent(scopes, firstAccount)
The call to AcquireTokenSilent thow an exception, with the following details:
Microsoft.Identity.Client.MsalServiceException
HResult=0x80131500
Message=WAM Error Microsoft.Identity.Client.Platforms.Features.WamBroker.AadPlugin
Error Code: WAM_aad_provider_error_3399614466
Error Message:
WAM Error Message: V2Error: invalid_request AADSTS90002: Tenant '75950cd6-4468-4918-b750-966c6b4fa3d1' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.
Interestingly, the SID '75950cd6-4468-4918-b750-966c6b4fa3d1' is NOT my tenant ID, and actually, I do not have this string anywhere in my code.
In the application registration, I set up the redirect URI to:
ms-appx-web://microsoft.aad.brokerplugin/<my application SID>. The application is registered for domain only, and the my device is domain joined.
What am I doing wrong?
Update
Answer a comment from #Sridevi.
I'm following this demo almost to the letter: https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-windows-desktop
With the following changes:
As a redirect URI, I wrote: ms-appx-web://microsoft.aad.brokerplugin/<client SID>
When building the MSAL application, I added .WithBroker() as mentioned above
For firstAccount, I do not take the first account from the list of acounts as in the tutorial (it is empty the first time), but I'm using the enum OperatingSystemAccount, mentioned above as well.
I would appreciate a sample or tutorial for getting this token otherwise.
I'm new to Snowflake and my objective is to use the SQL API to execute queries.
Using curl I'm able to create an access token and a refresh token. I can then use the access token in the snowsql connection parameter "--token" to start a snowsql session and execute SQL statements. This all works fine.
However, when I try to use curl to POST a request to the /api/statements endpoint (as documented on https://docs.snowflake.com/en/developer-guide/sql-api/guide.html#example-of-a-request) and I use the same access token, then I'm getting an "JWT token is invalid" error.
Am I missing something here? Do I need to generate and use a different access token for the SQL API than the one I can use with snowsql?
If so, how can I generate such access token?
Any idea or hint is greatly appreciated.
Thanks.
There are 2 mechanisms for authorizing the users for SQL API, one is the External Oauth and the other is key-pair mechanism.
From what I presume, it seems that you have used the External OAuth token for Key pair auth for SQL API hence the error is seen.
In the SQL API request that is being tested, remove this line:
-H "X-Snowflake-Authorization-Token-Type: KEYPAIR_JWT" \
Now, run the curl command and it should work successfully.
When no parameter value for Auth token type is passed, it defaults to external OAuth.
We recently made a switch from Implicit Grant Flow to Authorization Code Flow with PKCE for our application, and now we're having some trouble getting access tokens from Azure AD from Postman. The app is registered in Azure AD and we're basically using the Postman procedure described here: https://developer.mypurecloud.com/api/rest/postman/index.html#enable_authorization. Calling the https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize endpoint works ok, but it hits an error when calling https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token:
"Error: Cound not complete OAuth 2.0 token request: "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests.\r\nTrace ID: 8253f622-3425-4d0a-817c-281f86097300\r\nCorrelation ID: 9d84460f-ec02-4ace-af03-14d948e3d4ad\r\nTimestamp: 2020-04-15 14:02:03Z"
This is the access token request:
How can we get access tokens from Azure AD using Postman with this authorization flow?
Apparently this is a problem as the documentation is confusing.
Over the Azure Active Directory App Registration. Make sure you add the redirect url over the "Mobile and desktop applications" category.
When you read the documentation looks like you need to add the Redirect URL under the Single Page Apps. It even shows confirmation message saying "Your Redirect URI is eligible for the Authorization Code Flow with PKCE." but is not true.
This error can occur when the "Origin" header is missing from the request (see: GitHub comment).
Try adding the header:
Origin: http://localhost
If you're experiencing this failure whilst trying to authenticate using Postman, ensure that you have a platform authentication for Web.
Go to Azure AD > App Registrations > {your app reg} > Authentication > Add a platform. Redirect URI should be https://oauth.pstmn.io/v1/callback when using the browser.
For me I was trying update the MSAL v1 implementation to v2 implementation where I got this issue. After doing migration from web to SPA in the Azure where it clearly takes about the same fixed my issues.
https://learn.microsoft.com/en-us/answers/questions/315313/azure-app-registration-causing-the-following-error.html
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser#implicit-flow-vs-authorization-code-flow-with-pkce
To get an refresh_token you have to add "offline_access" to the scope.
The documentation of the response to the access token request says:
An OAuth 2.0 refresh token. The app can use this token acquire additional access tokens after the current access token expires. Refresh_tokens are long-lived, and can be used to retain access to resources for extended periods of time. For more detail on refreshing an access token, refer to the section below.
Note: Only provided if offline_access scope was requested.
Documentation
I was able to resolve this by doing the following:
Within the Azure Portal:
Navigate to the App Registration that you are using for your protected API.
Next, navigate to the Authentication blade within the Manage menu.
Within your Single-page application platform, add the following Redirect URI, https://oauth.pstmn.io/v1/callback.
Save these changes within the Azure Portal.
Next, within Postman's New Token Configuration:
Manually set the Callback URL to the same URI specified above (i.e. https://oauth.pstmn.io/v1/callback).
Once the above are done, clear your cookies from within Postman, and re-attempt retrieval of the token.
Follow these steps:
In your registered app, add platform for mobile and desktop application like below image:
Get your code which will be redirected to https://login.live.com/oauth20_desktop.srf?code=<code>.
If you are using Postman to get token so cross origin issue chances can be there. So try below php code to get token:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://login.microsoftonline.com/{tenenat-id}/oauth2/v2.0/token");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"grant_type=authorization_code&code={auth-code}&client_id={client-id}&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&redirect_uri=https://login.live.com/oauth20_desktop.srf");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$server_output = curl_exec($ch);
curl_close ($ch);
var_dump($server_output);
1.You should first get the code in the browser,Enter the following request information in the browser address bar:
2.Then enter the obtained code and other request information in postman, you will get the access token
3.Please check: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
I am trying to delete a user from a realm using keycloak admin client api.
I am following an example from here:
https://gist.github.com/thomasdarimont/43689aefb37540624e35
Here is what my code looks like:
Keycloak kc = KeycloakBuilder.builder().serverUrl("https://localhost:8445/auth")
.realm("sensorcloud-auth").username("admin").password("admin").clientId("admin-cli")
.clientSecret("b6b4f0ec-9936-46a2-9f40-69c207e2e0f2")
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()).build();
kc.realm("sensorcloud-auth").users().get("a3fdac49-f7eb-4be7-a81f-b48b09a6694c").remove();
I can login to keycloak admin console using username admin and password admin, and I am pretty sure there is no typo with other parameters, but every time when I try to delete the user with that userId, I will be given a 401 Unauthorized error. Can someone help me figure out what is going on?
Not sure which version of keycloak admin client api you are using, with current API there is no remove operation.
It should be kc.realm(realmName).users().delete(id) . You can check the REST API for Delete User
We kept getting HTTP 401 status code responses when the hostname stamped on the iss field of the bearer's/user's access token had a different case i.e. lowercase vs. uppercase than the url used to post an HTTP request to keycloak's token endpoint.
While creating Keycloak instance, Realm should be master realm.
After creating instance with Master Realm, you can delete the user by using your code.
In my scenario, the user grants permission for my AAD application to read their email from time to time in a server process using the Microsoft Graph API. At the time the user grants permission, I am getting a token using authContext.GetAuthorizationRequestURL and authContext.AcquireTokenByAuthorizationCodeAsync. Thereafter, whenever I need an access token, I execute the following:
TokenCache tokenCache; // deserialized
AuthenticationContext authContext = CreateAuthContext(authority, tokenCache);
AuthenticationResult authResult = await authContext.AcquireTokenAsync(
resource,
new ClientCredential(clientId, clientKey));
return authResult.AccessToken;
Unfortunately calling MS Graph APIs with the resulting accesstoken returns a 403(Forbidden).
I get the impression I am not calling the right flavor of AcquireToken*() with the right information. Anyone familiar with this scenario?
The overload of AcquireTokenAsync indicated in the question will fetch an app-only token. An overload of AcquireToken that accepts ClientCredential and UserIdentifier parameters is what is needed, but unfortunately, such an overload does not exist.
However, you can keep using the access token till it expires (check using AuthenticationResult.ExpiresOn) and then use AuthenticationResult.RefreshToken with AcquireTokenByRefreshTokenAsync API to get new a access token.