Skip to content

Resource Owner Password Credentials Authentication Failure

Jump to bottom
Tobias Lohr edited this page Mar 8, 2022 · 4 revisions

What is this about?

This document describes the changes required due to a possible failure of an authentication attempt using the OAuth resource owner password credentials grant from Account Manager.

If the scenario described below applies to you, this document is helpful for you. In this case please continue reading:

  • You made an authentication against Account Manager using API client credentials AND user credentials combined resulting in error Error: Authentication failed: Resource owner authentication failed

Why would you do this?

When users in your Account Manager org are enrolled for MFA it will block you from running an authentication with client credentials and user credentials combined. Attempting to run the auth (e.g. through sfcc-ci and specifically command sfcc-ci client:auth <client_id> <client_secret> <username> <user_password>) will fail and sfcc-ci will return the following error:

Error: Authentication failed: Resource owner authentication failed

How is it being done?

To move from a combined authentication using API client credentials AND user credentials together to an authentication using only API client credentials the following steps are required:

  1. Ensure you understand, what particular operations in the Salesforce Commerce Cloud Platform through the CLI you perform after after you run the authentication. Most likely it is managing On-Demand Sandboxes (all commands starting with sfcc-ci sandbox:, for example sfcc-ci sandbox:create) or User Management (all commands starting with sfcc-ci user:, for example sfcc-ci user:create).
  2. Adjust the permissions of your API client: As you will not longer use the user credentials, but only the API client credentials, you have to make sure, your API client has sufficient privileges to perform the operations. Based on the operations identified under #1 you have to grant your API client
    1. the role “Sandbox API User“ with the relevant scope (in case of managing On-Demand Sandboxes for your realm(s)) and/or
    2. the role “Account Administrator” (in case of managing users in your org) - do so may require opening a Support Case
  3. Adjust the authentication command in the CLI: Replace sfcc-ci client:auth <client_id> <client_secret> <username> <user_password> with sfcc-ci client:auth <client_id> <client_secret>

Clone this wiki locally