Read on newly released AI assisted Insights
flxbl docs
Learn CD Concepts using LabsslackGitHub

Server Authentication

This feature requires sfp-pro with sfp-server

sfp-server provides centralized authentication management for teams. This page explains how to authenticate with sfp-server itself, which is separate from authenticating with Salesforce orgs.

Authentication Overview

sfp-server uses a two-layer authentication model:

┌─────────────────────────────────────────────────────────────────┐
│                    Authentication Layers                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Layer 1: Server Authentication                                │
│   ─────────────────────────────────                             │
│   You ───> sfp-server                                           │
│   Methods: OAuth (GitHub/SAML), Admin login, Impersonation      │
│   Result: Server access token (stored locally)                  │
│                                                                 │
│   Layer 2: Salesforce Authentication                            │
│   ──────────────────────────────────                            │
│   sfp-server ───> Salesforce Orgs                               │
│   Methods: Registered org credentials, JIT authentication       │
│   Result: Access to Salesforce APIs via server                  │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Complete Authentication Flow

Here's the step-by-step flow when a user authenticates to sfp-server and accesses an environment:

Step-by-Step Walkthrough

1. Initial Server Authentication

What happens:

  1. CLI starts a local HTTP server on port 54329

  2. Opens your browser to GitHub OAuth authorization page

  3. You authorize the sfp application on GitHub

  4. GitHub redirects back to localhost:54329/callback

  5. CLI receives the OAuth token from GitHub via Supabase

  6. Token is stored securely in your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service)

2. Verify Authentication Status

Output:

3. Access an Environment

What happens:

  1. CLI retrieves your server token from the OS keychain

  2. Sends request to sfp-server API with your token

  3. Server verifies your identity and role permissions

  4. Server decrypts the stored Salesforce credentials

  5. Returns credentials to CLI (accessToken or sfdxAuthUrl based on --auth-type)

  6. CLI creates local Salesforce authentication with alias "UAT"

4. Use the Authenticated Org

Token Storage Details

sfp stores authentication tokens securely using the operating system's native credential storage:

OS
Storage Location
Service Name

macOS

Keychain Access

sfp-pro

Windows

Credential Manager

sfp-pro

Linux

Secret Service (libsecret)

sfp-pro

The token key format is: supabase-token-{email}

Authentication Lifecycle

Server Authentication Methods

OAuth (GitHub)

The most common method for team members. Uses GitHub for identity verification.

This will:

  1. Open a browser window to GitHub

  2. Authenticate with your GitHub account

  3. Store the server token locally

OAuth (SAML)

For organizations using SAML-based SSO:

Admin Login

For server administrators, username/password authentication:

You'll be prompted for the password, or provide it via file:

Impersonation (Advanced)

For administrative tasks requiring user impersonation. Requires the SUPABASE_JWT_SECRET environment variable:

Authentication Storage

Server credentials are stored locally and used for subsequent commands:

Token Location

Tokens are stored in the sfp configuration directory:

  • macOS/Linux: ~/.sfp/

  • Windows: %USERPROFILE%\.sfp\

Environment Variables

For CI/CD pipelines, use environment variables instead of interactive login:

With these set, sfp commands automatically authenticate with the server:

Application Tokens

For CI/CD and automation, application tokens provide secure, non-interactive authentication.

Creating an Application Token

Output:

Using Application Tokens

Managing Application Tokens

Role-Based Access

Server authentication grants different capabilities based on user roles:

Role
Capabilities

Member

View environments, fetch orgs (no credentials)

Owner

Full access including credentials, org registration

Application

API access for automation

Credential Access

Only certain roles can retrieve Salesforce credentials:

CI/CD Integration

GitHub Actions

Azure DevOps

Global Auth Mode

sfp-server can be configured for global authentication, routing users to their appropriate tenant:

This is useful for multi-tenant deployments where a single authentication endpoint serves multiple organizations.

Session Management

Session Timeout

Server sessions have configurable timeouts. Re-authenticate when expired:

Multiple Servers

If working with multiple sfp-server instances:

Troubleshooting

"Authentication failed"

"Token expired"

"Unauthorized"

  • Verify your role has the required permissions

  • Check if the application token is still valid

  • Ensure SFP_SERVER_URL is correct

"Cannot connect to server"

Related Topics

Last updated