Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pardot authentication after spring 2021 #46

Open
renjithpaul27 opened this issue Nov 24, 2020 · 15 comments
Open

Pardot authentication after spring 2021 #46

renjithpaul27 opened this issue Nov 24, 2020 · 15 comments

Comments

@renjithpaul27
Copy link

As per pardot documentation, "In the Spring '21 and later releases of the Pardot API, authentication with the API key / user key will not be supported".

How does pypardot4 is going to me impacted with this?
@skpadgett
Copy link

Unless addressed, this integration wrapper will stop working after February 15th 2021 'Spring Release. @mneedham91 any thoughts? Has anyone from Pardot reached out to assist or advise?

@skpadgett
Copy link

skpadgett commented Dec 23, 2020
edited
Loading

Salesforce documentation identifies several alternative OAuth workflow options for replacing the current Pardot UID/pwd based approach. In the likelihood that there will not be a 'one size fits all' solution, anticipate need for 'Authorization Option' parameter for this wrapper that supports various options as they are implemented, including backward compatibility to the current approach.

I am working with a client that is already using SSO Salesforce UID/Pwd for interactive access to Pardot and evaluating options for making the Pardot API (and this wrapper) work. The Pardot API authentication page includes an example using this workflow with a mild caveat on its use. The following from the above referenced Salesforce documentation page includes much stronger language concerning the risks of using this option:

 OAuth 2.0 Username-Password Flow for Special Scenarios
 You can use the username-password flow to authorize a client—via a connected app—that already has the user’s credentials. 
 However, we recommend avoiding this flow because it passes credentials back and forth. Use it only if…
  -  there is a high degree of trust between the resource owner and the client, 
  -  the client is a first-party app, 
  -  Salesforce is hosting the data, 
  -  and other grant types aren’t available. 

 In these cases, set user permissions to minimize access and protect stored credentials from unauthorized access.

That said, I "think" my client has other Salesforce API activity using this OAuth workflow, so may end up going with this
approach. Intend to assign a "custom role" to UID used in the API with read-only access to address concerns raised above. (FYI - I did notice that the Java version of the Pardot API Wrapper went with this option. From quick glance, it looks like they've incorporated some UID/pwd masking functionality in the code.)

I intend to have our solution implemented in late Jan/early Feb timeframe.

fyi - @mneedham91

@skpadgett
Copy link

I've confirmed that my client is using the Salesforce UID/Pwd OAuth workflow for their other non-Pardot Salesforce API activity. However, they are encrypting and storing the pwd/uid in an Azure AD vault, using a departmental (vs enterpise std) approach that includes unrelated (to my efforts) tech stack components. Consequently, have just started looking at AWS Encryption SDK as a possibly generic option that others here may wish to leverage. It's available in a python library, free, and entirely client side - no requirement to use AWS. See AWS Encryption SDK for info. I'm going to continue to investigate, but will need to clear this approach with the client's security team after the holidays.

fyi - @mneedham91

@skpadgett
Copy link

By the way, I did have the client raise this topic with their Salesforce support contact. Their response was to reference this issue.

@daigotanaka
Copy link

daigotanaka commented Jan 5, 2021
edited
Loading

In case people need something that works before the Feb 15, 2021 deadline, here is an example implementation:
anelendata@bef7422
By default, the token does not expire until revoked. So, the easiest would be to manually obtain token like the way scripted in setup_salesforce_auth_keys() method in this commit. The code in this commit also allows instantiating the class with token & business_unit_id.

By the way, the branch contains the support for v3 API (as addressed in #43 ) and Bulk Prospect Import API feature (*):
https:/anelendata/PyPardot4/tree/sfauth

Update: I forked and released PyPardotSF: https:/anelendata/PyPardotSF

(*) Bulk Import API (v3): https://developer.pardot.com/kb/api-version-3/import/

@daigotanaka daigotanaka mentioned this issue Jan 5, 2021
Open
@daigotanaka
Copy link

daigotanaka commented Jan 5, 2021
edited
Loading

Just realized that I was confused about the refresh token policy. The refresh token doesn't expire by default but the token will expire if you do not use it for a while. So one way is to store refresh_token, consumer_key, and consumer_secret to obtain the token in the first call. (code: anelendata@81e7234#diff-74771ec4a270fac563e3db312b4383c44598a049af2871431a456501b85553ef)

@skpadgett
Copy link

Daigo, This is awesome!! Thank you for level of detail re. the connected app configuration.

@daigotanaka
Copy link

daigotanaka commented Jan 12, 2021
edited
Loading

Btw, I'm deciding whether to permanently fork PyPardot4 to release a package (with some other name and after code & doc clean up) that handles both ver 3 & 4 API and Salesforce OAuth described above. It also supports Import API to batch upload the prospects (my main motivation for the fork). Currently available on this branch: https:/anelendata/PyPardot4/tree/sfauth

Update: I forked and released PyPardotSF: https:/anelendata/PyPardotSF

@skpadgett
Copy link

Daigo, I'm successfully getting the token & refresh token. Am I correct in thinking I need to manually execute the post method to get headers built before I can do anything else? If so, can you provide example? What I'm really asking for is updated "Using it is simple" example as in the readme for original. (Apologies - brand new to python, but appreciating opportunity to learn on your code).

@daigotanaka
Copy link

@skpadgett: Let's move this discussion to https:/anelendata/PyPardotSF
I'm not sure if the authors of Pypardot4 is active or willing to make further changes and I don't want to annoy the people on this repo. I updated the README, addressing your question on the new repo. Thx!

@gaoqiang-zhuo
Copy link

Hi @daigotanaka, I tried your package PyPardotSF. I can get the new access token with the refresh token, however the access token does not work. For example, when I ran p.prospects.read_by_email(email=a_test_email), I got this error: pypardot.errors.PardotAPIError: Error #184: access_token is invalid, unknown, or malformed. Would you mind verifying if the package works well for you now? Thanks.

@royt-via
Copy link

royt-via commented Feb 4, 2021

Hi, do you know if this issue would be resolved by Feb 15th or should we start looking for alternatives?

@daigotanaka
Copy link

daigotanaka commented Feb 4, 2021
edited
Loading

Hi @gaoqiang-zhuo

It's been working fine for me. Did you follow the steps described on PardotSF README.md?
Anyways, let's take this discussion to the forked repo. Please feel free to file an issue after you confirm the steps described in the README.

Hi @daigotanaka, I tried your package PyPardotSF. I can get the new access token with the refresh token, however the access token does not work. For example, when I ran p.prospects.read_by_email(email=a_test_email), I got this error: pypardot.errors.PardotAPIError: Error #184: access_token is invalid, unknown, or malformed. Would you mind verifying if the package works well for you now? Thanks.

@royt-via
Copy link

royt-via commented Feb 5, 2021

@mneedham91 is this repo still maintained?

@gaoqiang-zhuo
Copy link

Hi @daigotanaka I followed the steps in readme again, and it works now. Thank you so much!

@daigotanaka daigotanaka mentioned this issue Mar 4, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@daigotanaka @gaoqiang-zhuo @skpadgett @renjithpaul27 @royt-via