Salesforce is getting rid of Device Flow to login to the Data Loader app, how can I switch to Web Server Flow to test it will work okay with my SSO? We don't use passwords at my organization. My only login options through the app are OAuth or Password Authentication. It automatically defaults to Device Flow.
1 Answer
tl;dr:
by installing the current version of Dataloader (64.0.2 at time of writing)
and setting up an External Client App
getting the client key and secret into Dataloader makes it try to use the Authorization Code flow (i.e. what Salesforce calls the "Web Server" flow) instead of the Device Flow.
full version
Looking through the Dataloader's github repo, Version 64.0.2, which is the version available for download through the official Dataloader page at time of writing, there were changes made to support this rather abrupt retirement of the Device Flow.
While the Device Flow is still able to be used (for now), Dataloader will try to use the Authorization Code Flow (with PKCE) first. To be able to use the Authorization Code flow, you'll need to create an External Client App1.
The External Client App needs the following OAuth scopes:
- Manage user data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
and you'll specifically need to check Enable Authorization Code and Credentials Flow in the "Flow Enablement" section of the OAuth Settings.
For the Callback URL, we need to use http://localhost:7171/OauthRedirect. Dataloader will temporarily2 spin up a local server to receive the redirect callback. Pretty standard OAuth stuff.
Once created, you'll need the consumer key and consumer secret from the External Client App.
Next, in Dataloader's program window, go to Settings -> Settings
Scroll down until you find External Client App Consumer Key (Production) and External Client App Consumer Secret (Production), and copy/paste the relevant strings from Salesforce.
We can also change the OAuth PKCE callback port in the Dataloader settings, but just leave that one alone unless you know you need to change it. The default is 7171. Changing the port in the Dataloader settings means you'd also need to change the Callback URL in the External Client App.
From there, everything else should be the same. The Authorization Code flow is an interactive flow, meaning it'll pop up a browser window for people to enter their credentials. If you leave the Authentication host domain URL for production/sandbox alone, you'll still need to click on "Use a Custom Domain" to get to your org's specific login page. That's where you'll find the button to log in with your SSO provider.
1: i.e. the evolution of Connected Apps that resolves some issues related to packaging. There's a checkbox in Apps -> External Client Apps -> Settings that allows you to create Connected Apps again too, but probably best to get used to the new thing. A new (or existing) Connected App should also work for this, provided the Authorization Code and Credentials Flow is enabled for it.
2: This server is automatically stopped after a successful authorization, or after 60 seconds, whichever comes first
