Auth updates - add client credentials flow, remove username password flow

Author: ppandit-sfdc

README.md

@@ -12,7 +12,7 @@ Use of this project with Salesforce is subject to the [TERMS OF USE](./TERMS_OF_
 - [Azul Zulu OpenJDK 17.x](https://www.azul.com/downloads/?version=java-17-lts&package=jdk#zulu)
 - Docker support like [Docker Desktop](https://docs.docker.com/desktop/)
 - A salesforce org with some DLOs or DMOs with data and this feature enabled (it is not GA)
-- A [connected app](#creating-a-connected-app)
+- An [External Client App](#creating-an-external-client-app)
 
 ## Installation
 The SDK can be downloaded directly from PyPI with `pip`:
@@ -58,7 +58,7 @@ This will yield all necessary files to get started:
   * `config.json` – This config defines permissions on the back and can be generated programmatically with `scan` CLI method.
   * `entrypoint.py` – The script that defines the data transformation logic.
 
-A functional entrypoint.py is provided so you can run once you've configured your connected app:
+A functional entrypoint.py is provided so you can run once you've configured your External Client App:
 ```zsh
 cd my_package
 datacustomcode configure
@@ -175,26 +175,26 @@ Display the current version of the package.
 Configure credentials for connecting to Data Cloud.
 
 **Prerequisites:**
-- A [connected app](#creating-a-connected-app) with OAuth settings configured
+- An [External Client App](#creating-an-external-client-app) with OAuth settings configured
 - For OAuth Tokens authentication: [refresh token and core token](#obtaining-refresh-token-and-core-token)
 
 Options:
 - `--profile TEXT`: Credential profile name (default: "default")
-- `--auth-type TEXT`: Authentication method (`oauth_tokens` or `username_password`, default: `oauth_tokens`)
+- `--auth-type TEXT`: Authentication method (default: `oauth_tokens`)
+  - `oauth_tokens` - OAuth tokens with refresh_token
+  - `client_credentials` - Server-to-server using client_id/secret only
 - `--login-url TEXT`: Salesforce login URL
 
-For Username/Password authentication:
-- `--username TEXT`: Salesforce username
-- `--password TEXT`: Salesforce password
-- `--client-id TEXT`: Connected App Client ID
-- `--client-secret TEXT`: Connected App Client Secret
-
 For OAuth Tokens authentication:
-- `--client-id TEXT`: Connected App Client ID
-- `--client-secret TEXT`: Connected App Client Secret
+- `--client-id TEXT`: External Client App Client ID
+- `--client-secret TEXT`: External Client App Client Secret
 - `--refresh-token TEXT`: OAuth refresh token (see [Obtaining Refresh Token](#obtaining-refresh-token-and-core-token))
 - `--core-token TEXT`: (Optional) OAuth core/access token - if not provided, it will be obtained using the refresh token
 
+For Client Credentials authentication (server-to-server):
+- `--client-id TEXT`: External Client App Client ID
+- `--client-secret TEXT`: External Client App Client Secret
+
 ##### Using Environment Variables (Alternative)
 
 Instead of using `datacustomcode configure`, you can also set credentials via environment variables.
@@ -207,7 +207,7 @@ Instead of using `datacustomcode configure`, you can also set credentials via en
 |----------|-------------|
 | `SFDC_LOGIN_URL` | Salesforce login URL (e.g., `https://login.salesforce.com`) |
 | `SFDC_CLIENT_ID` | External Client App Client ID |
-| `SFDC_AUTH_TYPE` | Authentication type: `oauth_tokens` (default) or `username_password` |
+| `SFDC_AUTH_TYPE` | Authentication type: `oauth_tokens` (default) or `client_credentials` |
 
 **For OAuth Tokens authentication (`SFDC_AUTH_TYPE=oauth_tokens`):**
 | Variable | Description |
@@ -216,13 +216,6 @@ Instead of using `datacustomcode configure`, you can also set credentials via en
 | `SFDC_REFRESH_TOKEN` | OAuth refresh token |
 | `SFDC_CORE_TOKEN` | (Optional) OAuth core/access token |
 
-**For Username/Password authentication (`SFDC_AUTH_TYPE=username_password`):**
-| Variable | Description |
-|----------|-------------|
-| `SFDC_USERNAME` | Salesforce username |
-| `SFDC_PASSWORD` | Salesforce password |
-| `SFDC_CLIENT_SECRET` | External Client App Client Secret |
-
 Example usage:
 ```bash
 export SFDC_LOGIN_URL="https://login.salesforce.com"
@@ -376,9 +369,9 @@ You now have all fields necessary for the `datacustomcode configure` command.
 
 If you're using OAuth Tokens authentication (instead of Username/Password), follow these steps to obtain your refresh token and core token (access token).
 
-#### Step 1: Note Connected App Details
+#### Step 1: Note External Client App Details
 
-From your connected app, note down the following:
+From your External Client App, note down the following:
 - **Client ID**
 - **Client Secret**
 - **Callback URL** (e.g., `http://localhost:55555/callback`)

src/datacustomcode/cli.py

@@ -43,60 +43,56 @@ def version():
         click.echo("Version information not available")
 
 
-def _configure_username_password(
+def _configure_oauth_tokens(
     login_url: str,
     client_id: str,
     profile: str,
 ) -> None:
-    """Configure credentials for Username/Password authentication."""
+    """Configure credentials for OAuth Tokens authentication."""
     from datacustomcode.credentials import AuthType, Credentials
 
-    username = click.prompt("Username")
-    password = click.prompt("Password", hide_input=True)
     client_secret = click.prompt("Client Secret")
+    refresh_token = click.prompt("Refresh Token")
+    core_token = click.prompt(
+        "Core Token (optional, press Enter to skip)",
+        default="",
+        show_default=False,
+    )
 
     credentials = Credentials(
         login_url=login_url,
         client_id=client_id,
-        auth_type=AuthType.USERNAME_PASSWORD,
-        username=username,
-        password=password,
+        auth_type=AuthType.OAUTH_TOKENS,
         client_secret=client_secret,
+        refresh_token=refresh_token,
+        core_token=core_token if core_token else None,
     )
     credentials.update_ini(profile=profile)
     click.secho(
-        f"Username/Password credentials saved to profile '{profile}' successfully",
+        f"OAuth Tokens credentials saved to profile '{profile}' successfully",
         fg="green",
     )
 
 
-def _configure_oauth_tokens(
+def _configure_client_credentials(
     login_url: str,
     client_id: str,
     profile: str,
 ) -> None:
-    """Configure credentials for OAuth Tokens authentication."""
+    """Configure credentials for Client Credentials authentication."""
     from datacustomcode.credentials import AuthType, Credentials
 
     client_secret = click.prompt("Client Secret")
-    refresh_token = click.prompt("Refresh Token")
-    core_token = click.prompt(
-        "Core Token (optional, press Enter to skip)",
-        default="",
-        show_default=False,
-    )
 
     credentials = Credentials(
         login_url=login_url,
         client_id=client_id,
-        auth_type=AuthType.OAUTH_TOKENS,
+        auth_type=AuthType.CLIENT_CREDENTIALS,
         client_secret=client_secret,
-        refresh_token=refresh_token,
-        core_token=core_token if core_token else None,
     )
     credentials.update_ini(profile=profile)
     click.secho(
-        f"OAuth Tokens credentials saved to profile '{profile}' successfully",
+        f"Client Credentials saved to profile '{profile}' successfully",
         fg="green",
     )
 
@@ -105,13 +101,13 @@ def _configure_oauth_tokens(
 @click.option("--profile", default="default", help="Credential profile name")
 @click.option(
     "--auth-type",
-    type=click.Choice(["oauth_tokens", "username_password"]),
+    type=click.Choice(["oauth_tokens", "client_credentials"]),
     default="oauth_tokens",
     help="""Authentication method to use.
 
     \b
-    oauth_tokens      - OAuth tokens (refresh_token/core_token) authentication [DEFAULT]
-    username_password - Traditional username/password OAuth flow
+    oauth_tokens       - OAuth tokens (refresh_token) authentication (default)
+    client_credentials - Server-to-server using client_id/secret only
     """,
 )
 def configure(profile: str, auth_type: str) -> None:
@@ -124,10 +120,10 @@ def configure(profile: str, auth_type: str) -> None:
     client_id = click.prompt("Client ID")
 
     # Route to appropriate handler based on auth type
-    if auth_type == AuthType.USERNAME_PASSWORD.value:
-        _configure_username_password(login_url, client_id, profile)
-    elif auth_type == AuthType.OAUTH_TOKENS.value:
+    if auth_type == AuthType.OAUTH_TOKENS.value:
         _configure_oauth_tokens(login_url, client_id, profile)
+    elif auth_type == AuthType.CLIENT_CREDENTIALS.value:
+        _configure_client_credentials(login_url, client_id, profile)
 
 
 @cli.command()

src/datacustomcode/credentials.py

@@ -28,8 +28,8 @@
 class AuthType(str, Enum):
     """Supported authentication methods for Salesforce Data Cloud."""
 
-    USERNAME_PASSWORD = "username_password"
     OAUTH_TOKENS = "oauth_tokens"
+    CLIENT_CREDENTIALS = "client_credentials"
 
 
 # Environment variable mappings for each auth type
@@ -38,37 +38,31 @@ class AuthType(str, Enum):
     "client_id": "SFDC_CLIENT_ID",
 }
 
-ENV_CREDENTIALS_USERNAME_PASSWORD = {
-    "username": "SFDC_USERNAME",
-    "password": "SFDC_PASSWORD",
-    "client_secret": "SFDC_CLIENT_SECRET",
-}
-
 ENV_CREDENTIALS_OAUTH_TOKENS = {
     "client_secret": "SFDC_CLIENT_SECRET",
     "refresh_token": "SFDC_REFRESH_TOKEN",
     "core_token": "SFDC_CORE_TOKEN",
 }
 
+ENV_CREDENTIALS_CLIENT_CREDENTIALS = {
+    "client_secret": "SFDC_CLIENT_SECRET",
+}
+
 
 @dataclass
 class Credentials:
     """Flexible credentials supporting multiple authentication methods.
 
     Supports two authentication methods:
-    - OAUTH_TOKENS: OAuth tokens (core_token and refresh_token) authentication
-    - USERNAME_PASSWORD: Traditional username/password OAuth flow
+    - OAUTH_TOKENS: OAuth tokens (refresh_token) authentication (default)
+    - CLIENT_CREDENTIALS: Server-to-server integration using client_id/secret only
     """
 
     # Required for all auth types
     login_url: str
     client_id: str
     auth_type: AuthType = field(default=AuthType.OAUTH_TOKENS)
 
-    # Username/Password flow fields
-    username: Optional[str] = None
-    password: Optional[str] = None
-
     # Common field
     client_secret: Optional[str] = None
 
@@ -82,20 +76,7 @@ def __post_init__(self):
 
     def _validate(self) -> None:
         """Validate that required fields are present for the auth type."""
-        if self.auth_type == AuthType.USERNAME_PASSWORD:
-            missing = []
-            if not self.username:
-                missing.append("username")
-            if not self.password:
-                missing.append("password")
-            if not self.client_secret:
-                missing.append("client_secret")
-            if missing:
-                raise ValueError(
-                    f"Username/Password auth requires: {', '.join(missing)}"
-                )
-
-        elif self.auth_type == AuthType.OAUTH_TOKENS:
+        if self.auth_type == AuthType.OAUTH_TOKENS:
             missing = []
             if not self.refresh_token:
                 missing.append("refresh_token")
@@ -104,6 +85,10 @@ def _validate(self) -> None:
             if missing:
                 raise ValueError(f"OAuth Tokens auth requires: {', '.join(missing)}")
 
+        elif self.auth_type == AuthType.CLIENT_CREDENTIALS:
+            if not self.client_secret:
+                raise ValueError("Client Credentials auth requires: client_secret")
+
     @classmethod
     def from_ini(
         cls,
@@ -150,9 +135,6 @@ def from_ini(
             login_url=section["login_url"],
             client_id=section["client_id"],
             auth_type=auth_type,
-            # Username/Password fields
-            username=section.get("username"),
-            password=section.get("password"),
             client_secret=section.get("client_secret"),
             # OAuth Tokens fields
             core_token=section.get("core_token"),
@@ -166,19 +148,14 @@ def from_env(cls) -> Credentials:
         Environment variables:
             Common (required):
                 SFDC_LOGIN_URL: Salesforce login URL
-                SFDC_CLIENT_ID: Connected App client ID
+                SFDC_CLIENT_ID: External Client App client ID
                 SFDC_AUTH_TYPE: Authentication type (optional, defaults to oauth_tokens)
 
             For oauth_tokens (default):
-                SFDC_CLIENT_SECRET: Connected App client secret
+                SFDC_CLIENT_SECRET: External Client App client secret
                 SFDC_REFRESH_TOKEN: OAuth refresh token
                 SFDC_CORE_TOKEN: OAuth core/access token (optional)
 
-            For username_password:
-                SFDC_USERNAME: Salesforce username
-                SFDC_PASSWORD: Salesforce password
-                SFDC_CLIENT_SECRET: Connected App client secret
-
         Returns:
             Credentials instance loaded from environment variables
 
@@ -208,9 +185,6 @@ def from_env(cls) -> Credentials:
             login_url=login_url,
             client_id=client_id,
             auth_type=auth_type,
-            # Username/Password fields
-            username=os.environ.get("SFDC_USERNAME"),
-            password=os.environ.get("SFDC_PASSWORD"),
             client_secret=os.environ.get("SFDC_CLIENT_SECRET"),
             # OAuth Tokens fields
             core_token=os.environ.get("SFDC_CORE_TOKEN"),
@@ -273,15 +247,7 @@ def update_ini(self, profile: str = "default", ini_file: str = INI_FILE) -> None
         config[profile]["client_id"] = self.client_id
 
         # Save fields based on auth type
-        if self.auth_type == AuthType.USERNAME_PASSWORD:
-            config[profile]["username"] = self.username or ""
-            config[profile]["password"] = self.password or ""
-            config[profile]["client_secret"] = self.client_secret or ""
-            # Remove fields from other auth types
-            for key in ["refresh_token", "core_token"]:
-                config[profile].pop(key, None)
-
-        elif self.auth_type == AuthType.OAUTH_TOKENS:
+        if self.auth_type == AuthType.OAUTH_TOKENS:
             config[profile]["client_secret"] = self.client_secret or ""
             config[profile]["refresh_token"] = self.refresh_token or ""
             if self.core_token:
@@ -290,6 +256,12 @@ def update_ini(self, profile: str = "default", ini_file: str = INI_FILE) -> None
             for key in ["username", "password"]:
                 config[profile].pop(key, None)
 
+        elif self.auth_type == AuthType.CLIENT_CREDENTIALS:
+            config[profile]["client_secret"] = self.client_secret or ""
+            # Remove fields from other auth types
+            for key in ["username", "password", "refresh_token", "core_token"]:
+                config[profile].pop(key, None)
+
         with open(expanded_ini_file, "w") as f:
             config.write(f)