Skip to content

Resource Owner Password Credentials Authentication Failure

Jump to bottom
Tobias Lohr edited this page Mar 10, 2022 · 4 revisions

What is this about?

This document describes the changes required due to a possible failure of an authentication attempt using the OAuth resource owner password credentials grant from Account Manager.

If the scenario described below applies to you, this document is helpful for you. In this case please continue reading:

  • You made an authentication against Account Manager using API client credentials AND user credentials combined resulting in error Error: Authentication failed: Resource owner authentication failed

Reason for this failure is, that the MFA verification method being used is TOTP (timed one time password) and not Salesforce Authenticator App with push to your mobile device.

Why would you do this?

When users in your Account Manager org are enrolled for MFA and you use an MFA verifier which is not Salesforce Authenticator it will block you from running an authentication with client credentials and user credentials combined. Attempting to run the auth (e.g. through sfcc-ci and specifically command sfcc-ci client:auth <client_id> <client_secret> <username> <user_password>) might fail and in this case sfcc-ci will return the following error:

Error: Authentication failed: Resource owner authentication failed

How is it being done?

There are two options on how to fix this issue:

  • You can either change your MFA verifier and move to Salesforce Authenticator App which supports push to your mobile device. This however, does not necessarily support automation use cases or
  • (Recommended, as it supports automation) move to an authentication with API client credentials only (described in detail below).

To move from a combined authentication using API client credentials AND user credentials together to an authentication using only API client credentials the following steps are required:

  1. Ensure you understand, what particular operations in the Salesforce Commerce Cloud Platform through the CLI you perform after after you run the authentication. Most likely it is managing On-Demand Sandboxes (all commands starting with sfcc-ci sandbox:, for example sfcc-ci sandbox:create) or User Management (all commands starting with sfcc-ci user:, for example sfcc-ci user:create).
  2. Adjust the permissions of your API client: As you will not longer use the user credentials, but only the API client credentials, you have to make sure, your API client has sufficient privileges to perform the operations. Based on the operations identified under #1 you have to grant your API client
    1. the role “Sandbox API User“ with the relevant scope (in case of managing On-Demand Sandboxes for your realm(s)) and/or
    2. the role “Account Administrator” (in case of managing users in your org) - do so may require opening a Support Case
  3. Adjust the authentication command in the CLI: Replace sfcc-ci client:auth <client_id> <client_secret> <username> <user_password> with sfcc-ci client:auth <client_id> <client_secret>
Clone this wiki locally