There is quite a lot of documentation about Salesforce and MFA, but sofar I have not been able to find out how exactly Salesforce is going to enforce MFA.
Why this matters? Well, if you have connected apps, this might be an issue.
What I have seen: a connected app requests an OAuth token by supplying a username, password, client id, secret, etc.
The user, referred to by the username, has a profile.
I have enabled the 'Multi-Factor Authentication for User Interface Logins' permission for the profile.
I have not enabled the 'Multi-Factor Authentication for API Logins' permission.
The MFA FAQ states that API login does not require MFA.
However, if I set the Session Security Level of the profile to High Assurance, the connected app can no longer communicate with Salesforce. Error: invalid session id.
This seems to contradict the statement that Salesforce makes here: "The high assurance security setting applies to UI logins.
OAuth token exchanges aren’t subject to the requirement.
OAuth refresh tokens that were obtained before a high assurance security setting is applied to a profile can still be exchanged for valid API access tokens.
Tokens are valid even if they were obtained with a standard assurance session.
To require users to establish a high assurance session before accessing the API with an external application, revoke existing OAuth tokens for users with that profile.
Then assign a high assurance security setting to the profile. Users must log in with MFA and reauthorize the application."
If I change the security setting back to empty, the interface immediately works again.
Processing identigral's comments and reading Salesforce's documentation, these are the steps that I must take:
"To require users to establish a high assurance session before accessing the API with an external application,
- revoke existing OAuth tokens for users with that profile.
- Then assign a high assurance security setting to the profile.
- Users must log in with MFA and reauthorize the application."
I performed steps 1 and 2. Regarding step 3, I have the following questions:
- Which user must do this? A sysadmin or the user whose credentials will be used by the connected app?
- How do I reauthorize the application? I really have no idea.
Regarding those questions: if I look at the Trailhead that covers this topic, it mentions a section called 'OAuth policies'.
So I looked deeper and via App Manager > (app) Manage > Edit Policies, I was able to change the setting to "Admin approved users are pre-authorized" This in turn made it possible to add the profiles of allowed users.
Now it started making sense how a connected app and a profile can be related. Unfortunately, I still have to idea how to reauthorize the application. I have played with all variations of profile sesssion security level, logging in as the appropriate user with MFA, deleting and adding the profile to the connected app policy, but to no avail. If the profile sesssion security level is set to High Assurance, the connected app gets the error INVALID_SESSION_ID, as soon as I set the profile sesssion security level to empty, the connected app has no problems accessing Salesforce.
When I look in Connected Apps OAuth Usage, the connected app is not listed there. Neither does the user, which is used by the connected app to log in, have any filled OAuth loggings/settings. Nothing to revoke or reauthorize there.
The app is an external Enterprise Service Bus, it does not have a user interface with which I can (re)authorize access to Salesforce.
Best Answer
This has cost me two days of research, but I finally found out what is going on and I found out that I cannot fix the problem.
It turns out that the connected app, an Enterprise Service Bus, is using the OAuth 2.0 Username+Password flow.
However, according to the Salesforce documentation:
This explains why all of my attempts to make MFA work with my particular connected app failed.
Worse: the three OAuth flows that work with MFA are not compatible with an API-only connected app such as an Enterprise Service Bus.
I am going to raise a case with Salesforce Support asking them how they will guarantee that the connected app will continue to work after MFA is enforced. Because there are several ways for Salesforce to do that. And if they choose to do it by changing the profile Session Security level to High Assurance, then this app will fail and all hell will break loose (Salesforce being the single source of truth of client data in our company).
Update: I have raised this issue in the MFA - Getting started Salesforce Trailhead group.