circle-info
Read on newly released AI assisted Insights
flxbl docsarrow-up-right
search
Learn CD Concepts using LabsslackGitHub

ring-diamondServer Authentication

circle-info

This feature requires sfp-pro with sfp-server

sfp-server provides centralized authentication management for teams. This page explains how to authenticate with sfp-server itself, which is separate from authenticating with Salesforce orgs.

hashtag
Authentication Overview

sfp-server uses a two-layer authentication model:

┌─────────────────────────────────────────────────────────────────┐
│                    Authentication Layers                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Layer 1: Server Authentication                                │
│   ─────────────────────────────────                             │
│   You ───> sfp-server                                           │
│   Methods: OAuth (GitHub/SAML), Admin login, Impersonation      │
│   Result: Server access token (stored locally)                  │
│                                                                 │
│   Layer 2: Salesforce Authentication                            │
│   ──────────────────────────────────                            │
│   sfp-server ───> Salesforce Orgs                               │
│   Methods: Registered org credentials, JIT authentication       │
│   Result: Access to Salesforce APIs via server                  │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

hashtag
Complete Authentication Flow

Here's the step-by-step flow when a user authenticates to sfp-server and accesses an environment:

hashtag
Step-by-Step Walkthrough

hashtag
1. Initial Server Authentication

What happens:

  1. CLI starts a local HTTP server on port 54329

  2. Opens your browser to GitHub OAuth authorization page

  3. You authorize the sfp application on GitHub

  4. GitHub redirects back to localhost:54329/callback

  5. CLI receives the OAuth token from GitHub via Supabase

  6. Token is stored securely in your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service)

hashtag
2. Verify Authentication Status

Output:

hashtag
3. Access an Environment

What happens:

  1. CLI retrieves your server token from the OS keychain

  2. Sends request to sfp-server API with your token

  3. Server verifies your identity and role permissions

  4. Server decrypts the stored Salesforce credentials

  5. Returns credentials to CLI (accessToken or sfdxAuthUrl based on --auth-type)

  6. CLI creates local Salesforce authentication with alias "UAT"

hashtag
4. Use the Authenticated Org

hashtag
Token Storage Details

sfp stores authentication tokens securely using the operating system's native credential storage:

OS
Storage Location
Service Name

macOS

Keychain Access

sfp-pro

Windows

Credential Manager

sfp-pro

Linux

Secret Service (libsecret)

sfp-pro

The token key format is: supabase-token-{email}

hashtag
Authentication Lifecycle

hashtag
Server Authentication Methods

hashtag
OAuth (GitHub)

The most common method for team members. Uses GitHub for identity verification.

This will:

  1. Open a browser window to GitHub

  2. Authenticate with your GitHub account

  3. Store the server token locally

hashtag
OAuth (SAML)

For organizations using SAML-based SSO:

hashtag
Admin Login

For server administrators, username/password authentication:

You'll be prompted for the password, or provide it via file:

hashtag
Impersonation (Advanced)

For administrative tasks requiring user impersonation. Requires the SUPABASE_JWT_SECRET environment variable:

hashtag
Authentication Storage

Server credentials are stored locally and used for subsequent commands:

hashtag
Token Location

Tokens are stored in the sfp configuration directory:

  • macOS/Linux: ~/.sfp/

  • Windows: %USERPROFILE%\.sfp\

hashtag
Environment Variables

For CI/CD pipelines, use environment variables instead of interactive login:

With these set, sfp commands automatically authenticate with the server:

hashtag
Application Tokens

For CI/CD and automation, application tokens provide secure, non-interactive authentication.

hashtag
Creating an Application Token

Output:

hashtag
Using Application Tokens

hashtag
Managing Application Tokens

hashtag
Role-Based Access

Server authentication grants different capabilities based on user roles:

Role
Capabilities

Member

View environments, fetch orgs (no credentials)

Owner

Full access including credentials, org registration

Application

API access for automation

hashtag
Credential Access

Only certain roles can retrieve Salesforce credentials:

hashtag
CI/CD Integration

hashtag
GitHub Actions

hashtag
Azure DevOps

hashtag
Global Auth Mode

sfp-server can be configured for global authentication, routing users to their appropriate tenant:

This is useful for multi-tenant deployments where a single authentication endpoint serves multiple organizations.

hashtag
Session Management

hashtag
Session Timeout

Server sessions have configurable timeouts. Re-authenticate when expired:

hashtag
Multiple Servers

If working with multiple sfp-server instances:

hashtag
Troubleshooting

hashtag
"Authentication failed"

hashtag
"Token expired"

hashtag
"Unauthorized"

  • Verify your role has the required permissions

  • Check if the application token is still valid

  • Ensure SFP_SERVER_URL is correct

hashtag
"Cannot connect to server"

hashtag
Related Topics

Last updated