The new authentication methods are unreliable: Oauth Token constantly need to be regenerated

[mlane3]

Original Post

Dear @StevenMMortimer and @vancelopez ,

Similar to you issues highlighted in #117 and #120, I have faced difficulties in both the login and authentication for Salesforce. For me the breaking point was the fact that I have to constantly get a new OAuth token every two weeks and deal with the issue in #117 .

Now that I am unable to easily access the data, I have decided to reach out to them on the Salesforce community forums and will make noise on twitter. Therefor, I am making a github issue, to document my attempts and efforts to get salesforce to resolve the authentication issues. I assume that both you and everyone has reached out to salesforce. My hope is that by documenting my work, it may help with your own attempts to fix this.

Relevant Forum Posts by my organization and partner organizations:

1. https://trailhead.salesforce.com/trailblazer-community/feed/0D54S00000EA1M1SAL
2. https://trailhead.salesforce.com/trailblazer-community/feed/0D54S00000FQjceSAD
3. https://trailhead.salesforce.com/trailblazer-community/feed/0D54S00000EnL81SAF
4. https://trailhead.salesforce.com/trailblazer-community/feed/0D54S00000IQ9nfSAD

Sidebars:

1. First, I already know about the salesforce delay till December of 2023 and the legal document you linked to in Feature request: limit login attempts with sf_auth #117. What you may not realize is that is not guarantee, but a largesse. The issue is a largesse is not a developer road map, but something to put out to avoid legal liability or being sued. It is not a guarantee that they will develop better authentication methods. Companies only develop if there is a demand.
2. Second, I been looking for personal access token or service account public/private key authentication for Salesforce since November of 2020. Unless you have found something that indicates progress, then I would say at this point issue is not important enough for them to develop an alternative.
3. Third, Tableau already has personal access tokens instead of sever account for Tableau Online, but on the salesforce end I have not seen the full development of personal access token's or server account key like what google has. I can link you to the tableau directions if you are curious.
4. Fourth, as a sidebar Google's authentication is not any better in a multi-account or multi-cloud setup because the service account has to be created by the owner or admin of the google product (analytics, drive, cloud). What is really needed is an non-IT-centric service account, but an middle account or "automation account key".
5. Considering I been working on this since 2020, I have tried customer service to little avail last year. So I have decided to put my continued work on this in a public form area in order to bring resolution to the issue. My hope is that through strength in numbers, the issue will be resolved. I think Salesforce is a great company, so you might have better results by reaching out to them.

[mlane3]

In fact, the only thing I ask @StevenMMortimer is if your willing to continue what you have been doing already into researching the issue.

[StevenMMortimer]

@mlane3 Thanks for sharing all of your research! I don't know if I can solve your issue, but I'll ask a few questions to see if that brings up any ideas:

1. Does basic authentication (password+token) not work for your org? That would eliminate the need for MFA tokens.
2. I've never encountered an issue with MFA tokens expiring every 2 weeks. I actually store an encrypted token in the repository here that gets decrypted and used by GitHub Actions. The token should automatically refresh if expired and only needs to be changed every 6 months when Salesforce requires you to change your login password. I believe the expiration is a setting in the OAuth client for your org? MFA (and possibly Okta) login help #120 (comment)

[StevenMMortimer]

Hi @mlane3 – Thanks again for raising this. Let me know if you're still having issues and maybe we can troubleshoot a bit more? If I don't hear back, then I'll close this issue. Thanks!

[mlane3]

@StevenMMortimer thanks you for your replies. To answer your question....

1. Basic authentication does work for all except the largest data sources which is every other week about 50,000 rows. (So yes I have roughly 50,000 users and former users)
2. The expiration is usually tied to trying to get this data source to work or trying to login using the account to salesforce.com . Both seem to trigger a reset. I was able talk with IT and it should have the 8 month reset. Since looking into things issue something is very wrong with how our salesforce accounts are setup. We use Cyberark and Paloalto instead of Otka.
3. I have tried to get a response before as you can see from the list of posts below. Because I know that this affect other open source users, I kept things personal. I am know I need to leverage government resources. This because I need to make very clear to Salesforce that at this point not having an alternative to MFA for a small number of accounts a legal liability too great for governments to continue using their product. Governments are legally required to have open records and that are easy for the public to request:

• https://twitter.com/n30sh4d0wderp/status/1544764272114286592
• https://trailhead.salesforce.com/trailblazer-community/feed/0D5S00000IQ9nfSAD
• https://twitter.com/n30sh4d0wderp/status/1567550683770937345?s=20&t=8Q0Sot5mnPmBTHQzRKNJaQ
• https://trailhead.salesforce.com/trailblazer-community/feed/0D54S00000J9EShSAN

[StevenMMortimer]

@mlane3 Thanks for the update and pushing forward on things. Regarding bullet 1, do you have documentation about row limits depending on authentication? I've never heard this. You should be able to query millions of records using the Bulk APIs and they do not require OAuth2.0 authentication (basic will work just fine).