Skip to content

@W-23235332 fix(slas): drive PKCE for registered login on private clients#538

Open
clavery wants to merge 1 commit into
mainfrom
work/W-23235332
Open

@W-23235332 fix(slas): drive PKCE for registered login on private clients#538
clavery wants to merge 1 commit into
mainfrom
work/W-23235332

Conversation

@clavery

@clavery clavery commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes b2c slas token registered-customer login failing against a private SLAS client (one with a secret) with:

ERROR: SLAS token exchange (authorization_code) failed (HTTP 400) — { "status_code": "400 BAD_REQUEST", "message": "code_verifier is required" }

Root cause: the registered flow's /oauth2/login step always presents a PKCE code_challenge, but the SDK's getRegisteredToken downgraded the private-client token exchange to grant_type=authorization_code and omitted the code_verifier. Having received the challenge at login, SLAS then rejects the exchange.

Fix: unify the registered token exchange so it always uses grant_type=authorization_code_pkce with the matching code_verifier for both public and private clients; a private client additionally authenticates with its secret via HTTP Basic. This matches the canonical behavior in commerce-sdk-isomorphic's loginRegisteredUserB2C. Guest and client_credentials flows are unchanged.

Registered login now works on both public and private clients.

Also fixes the SDK unit test that had codified the buggy authorization_code contract (which is why CI stayed green while the live server failed); it now asserts the PKCE + code_verifier + Basic-auth wire contract. Docs (docs/cli/slas.md flow table) and the b2c-slas skill are updated.

Testing

Verified live against a private SLAS client (mystorefront-zzpq-019, Private: true) on instance zzpq-019:

  1. Reproduced the bug on pre-fix code — registered login (--shopper-login/--shopper-password) against the private client returned HTTP 400 code_verifier is required.
  2. Confirmed the fix — the same command returned a valid registered shopper token. Decoded JWT shows sty: User and isb: ...upn:<shopper>... (a genuine registered login, not guest).
  3. Regression — guest client_credentials on the same private client still issues a token successfully.

To reproduce manually:

b2c slas token --site-id <site> \
  --slas-client-id <id> --slas-client-secret <secret> \
  --shopper-login <login> --shopper-password '********'

Dependencies

  • No net-new third-party dependencies were added

@clavery
fix(slas): drive PKCE for registered login on private clients (@W-232…
a40acc3 
…35332)

`b2c slas token --shopper-login/--shopper-password` failed against a
PRIVATE SLAS client with `HTTP 400 code_verifier is required`. The
registered flow's `/oauth2/login` step always presents a
`code_challenge`, but the private-client token exchange downgraded to
`grant_type=authorization_code` and omitted `code_verifier`, so SLAS
rejected it.

Unify the registered token exchange: always use
`authorization_code_pkce` with the matching `code_verifier` for both
public and private clients; a private client additionally authenticates
with its secret via HTTP Basic. This matches commerce-sdk-isomorphic's
`loginRegisteredUserB2C`. Guest and `client_credentials` flows unchanged.

- Rewrite SDK `getRegisteredToken` token exchange (single PKCE path).
- Fix SDK test that had codified the buggy `authorization_code`
  contract; it now asserts PKCE + `code_verifier` + Basic auth.
- Update slas docs flow table + b2c-slas skill.
- Changeset (patch, @salesforce/b2c-tooling-sdk).
@clavery clavery requested a review from charithaT07 June 29, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charithaT07 charithaT07 Awaiting requested review from charithaT07

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clavery