why client_id and client_secret are mandatory for user and password auth?

[runa]

Hi!
I'm having a lot of trouble authenticating to Salesforce using username and password (I'm receiving the infamous Restforce::AuthenticationError: invalid_client_id: client identifier invalid error)

We have another app connected to Salesforce, using the same credentials which is working without problems (it's using the simple-salesforce python library).

I was wondering why client_id and client_secret are optional in simple-salesforce while mandatory in restforce even when using user and password auth.

I'm not sure if this might be related to my client identifier invalid error, but I'm out of clues here

ps: I've tried to set the instance hostname as host: eu6.salesforce.com without luck.

thanks

[sicktastic]

Do you have a sample code?

[timrogers]

I'm afraid I don't know why this is - your best bet would be trying to compare the requests Restforce and simple-salesforce make, or maybe reading into the Salesforce API docs and their authentication schemes. I might get a chance to look at some point, but I can't imagine this will be that hard to find out with a bit of research.

[runa]

@antwonlee sorry, sample code for the mandatory client_secret or the code yielding the client identifier invalid error?

[r9b9rt]

The reason is that salesforce requires these parameters for oauth. And that is what restforce uses to authenticate

https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Obtaining_a_Token_in_an_Autonomous_Client_.28Username_and_Password_Flow.29

[dangerp]

@r9b9rt that documentation seems to conflict with https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_username_password_oauth_flow.htm, which states:

client_secret: The Consumer Secret from the connected app definition. Required unless the Require Secret for Web Server Flow setting is not enabled in the connected app definition.

This would imply that the client_secret is not always required, depending on the settings for the connected app. However, after some initial testing I could not get a successful auth without the client_secret after deselecting that option in the connected app settings, so it appears that either this documentation is incorrect or I'm doing something wrong.

[SFDC-AaronKulick]

I apologize for raising this old issue, but with API users configured properly, client_id and client_secret are indeed optional. In such cases, the request is not oauth based. It would be nice if the library did support this.

[SFDC-AaronKulick]

Here is a request response showing such an authentication request:

Host: login.salesforce.com
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
content-type: text/xml
charset: UTF-8
SOAPAction: login
Content-Length: 889

send: <?xml version=1.0 encoding=utf-8 ?>
        <soapenv:Envelope
                xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/
                xmlns:urn=urn:partner.soap.sforce.com>
            <soapenv:Header>
                <urn:CallOptions>
                    <urn:client>RestForce</urn:client>
                    <urn:defaultNamespace>sf</urn:defaultNamespace>
                </urn:CallOptions>
                <urn:LoginScopeHeader>
                    <urn:organizationId>XXXXXXXXXX</urn:organizationId>
                </urn:LoginScopeHeader>
            </soapenv:Header>
            <soapenv:Body>
                <urn:login>
                    <urn:username>XXXXXXXXXX</urn:username>
                    <urn:password>XXXXXXXXXX</urn:password>
                </urn:login>
            </soapenv:Body>
        </soapenv:Envelope>'

reply: 'HTTP/1.1 200 OK'

@timrogers

[dylandechant]

also raising this old issue, is there still not a way to use username+password without client_id and client_secret