You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(slas): drive PKCE for registered login on private clients (@W-23235332)
`b2c slas token --shopper-login/--shopper-password` failed against a
PRIVATE SLAS client with `HTTP 400 code_verifier is required`. The
registered flow's `/oauth2/login` step always presents a
`code_challenge`, but the private-client token exchange downgraded to
`grant_type=authorization_code` and omitted `code_verifier`, so SLAS
rejected it.
Unify the registered token exchange: always use
`authorization_code_pkce` with the matching `code_verifier` for both
public and private clients; a private client additionally authenticates
with its secret via HTTP Basic. This matches commerce-sdk-isomorphic's
`loginRegisteredUserB2C`. Guest and `client_credentials` flows unchanged.
- Rewrite SDK `getRegisteredToken` token exchange (single PKCE path).
- Fix SDK test that had codified the buggy `authorization_code`
contract; it now asserts PKCE + `code_verifier` + Basic auth.
- Update slas docs flow table + b2c-slas skill.
- Changeset (patch, @salesforce/b2c-tooling-sdk).
Fix `b2c slas token` registered-customer login failing against a private SLAS client with `HTTP 400 code_verifier is required`. The registered login flow is always PKCE-protected, so the token exchange now always sends the `code_verifier` with the `authorization_code_pkce` grant — and, for private clients, additionally authenticates with the client secret via HTTP Basic. Registered login now works on both public and private clients; guest and `client_credentials` flows are unchanged.
| Registered (`--shopper-login`), with secret | Registered login + PKCE, plus client-secret Basic auth |
86
87
| No `--slas-client-id`| Auto-discovers first public client via SLAS Admin API |
87
88
89
+
::: tip Registered login uses PKCE on both public and private clients
90
+
The registered-customer flow is always PKCE-protected: the `/oauth2/login` step presents a `code_challenge`, so the token exchange always sends the matching `code_verifier`. A private SLAS client additionally authenticates with its secret (HTTP Basic). This is why the registered flow works against both public and private clients.
0 commit comments