{"id":21121623,"url":"https://github.com/piejanssens/sf-oauth","last_synced_at":"2026-04-16T13:00:59.792Z","repository":{"id":95431734,"uuid":"608312492","full_name":"piejanssens/sf-oauth","owner":"piejanssens","description":"OAuth 2.0 SAML Assertion Access Token Generator for SAP SuccessFactors HXM Suite","archived":false,"fork":false,"pushed_at":"2024-07-17T10:27:50.000Z","size":13189,"stargazers_count":6,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-21T18:46:18.307Z","etag":null,"topics":["hxm","oauth2","postman","sap","successfactors"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/sf-oauth","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/piejanssens.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"ko_fi":"pieterjanssens13976"}},"created_at":"2023-03-01T18:59:20.000Z","updated_at":"2025-06-21T07:31:00.000Z","dependencies_parsed_at":"2024-07-17T13:00:57.015Z","dependency_job_id":null,"html_url":"https://github.com/piejanssens/sf-oauth","commit_stats":{"total_commits":15,"total_committers":2,"mean_commits":7.5,"dds":0.06666666666666665,"last_synced_commit":"64c881bb6cf5d87025785bd5fd096d2e6db039ec"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/piejanssens/sf-oauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/piejanssens%2Fsf-oauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/piejanssens%2Fsf-oauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/piejanssens%2Fsf-oauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/piejanssens%2Fsf-oauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/piejanssens","download_url":"https://codeload.github.com/piejanssens/sf-oauth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/piejanssens%2Fsf-oauth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264352903,"owners_count":23594992,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hxm","oauth2","postman","sap","successfactors"],"created_at":"2024-11-20T03:53:07.768Z","updated_at":"2026-04-16T13:00:54.738Z","avatar_url":"https://github.com/piejanssens.png","language":"JavaScript","funding_links":["https://ko-fi.com/pieterjanssens13976","https://ko-fi.com/M4M7694D5"],"categories":[],"sub_categories":[],"readme":"# OAuth 2.0 SAML Assertion Access Token Generator for SAP SuccessFactors HXM Suite\n\nThis utility can generate and validate key pairs, generate SAML assertions accepted by SuccessFactors `/oauth/token` endpoint and integrate with Postman (which lacks support for the OAuth 2.0 SAML bearer assertion flow).\n\nFeatures:\n\n- [OAuth 2.0 SAML Assertion Access Token Generator for SAP SuccessFactors HXM Suite](#oauth-20-saml-assertion-access-token-generator-for-sap-successfactors-hxm-suite)\n  - [Prerequisites](#prerequisites)\n  - [Installation](#installation)\n  - [Usage](#usage)\n    - [Generate a new key pair](#generate-a-new-key-pair)\n    - [Create or update the OAuth client in SuccessFactors](#create-or-update-the-oauth-client-in-successfactors)\n    - [Run a web service returning OAuth access tokens](#run-a-web-service-returning-oauth-access-tokens)\n    - [Usage with Postman](#usage-with-postman)\n    - [Generate via CLI](#generate-via-cli)\n      - [Argument Aliases](#argument-aliases)\n    - [Check the OAuth client certificate's validity](#check-the-oauth-client-certificates-validity)\n    - [Learning Only Users](#learning-only-users)\n  - [Contributing](#contributing)\n  - [Sponsorship](#sponsorship)\n\n## Prerequisites\n\n- Install Node.JS \u003e= 18\n- Install OpenSSL\n\n## Installation\n\n```shell\n$ npm i -g sf-oauth\n```\n\n## Usage\n\n\u003e ⚠️ Once installed, you can run the command `sf-oauth` from a terminal shell. Either pass the `--dir` argument to specify the directory (to be) containing the PEM files, or run from within that directory.\n\n### Generate a new key pair\n\n```console\n$ sf-oauth --newkeypair\n...\n```\n\nProvide sensible information for the certificate, for example:\n\n\u003e ---\n\u003e\n\u003e Country Name (2 letter code) [AU]:BE\u003cbr\u003e\n\u003e State or Province Name (full name) [Some-State]:Antwerp\u003cbr\u003e\n\u003e Locality Name (eg, city) []:Antwerp\u003cbr\u003e\n\u003e Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example LTD\u003cbr\u003e\n\u003e Organizational Unit Name (eg, section) []:HRT\u003cbr\u003e\n\u003e Common Name (e.g. server FQDN or YOUR name) []:Pieter Janssens\u003cbr\u003e\n\u003e Email Address []:piejanssens@example.com\u003cbr\u003e\n\n### Create or update the OAuth client in SuccessFactors\n\n1. Go to OAuth Clients\n2. Create new or edit an existing client\n3. Provide a descriptive name - e.g. \"Postman Pieter Janssens\"\n4. Copy the contents of `...public.pem`, paste in SF and save\n5. Copy the OAuth client API key (e.g. to use as client ID in the Postman configuration)\n\n### Run a web service returning OAuth access tokens\n\nRun the command without any arguments:\n\n```shell\n$ sf-oauth [--port]\nℹ️  PEM files directory is set to /X/Y/Z/SF Secret Keypairs\nℹ️  Check the README.md for instructions on how this can be used in combination with Postman\n🚀 SAML Assertion OAuth access token generator listening on port 3000\n```\n\n| method | path         | purpose                                                                                                                                       | body/query parameters                    |\n| ------ | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- |\n| GET    | `/authorize` | requests to supply `userId` via your browser, generates SAML assertion, requests OAuth access token from SF and then returns the access token | `client_id`, `scope`, `state`            |\n| POST   | `/authorize` | immediatly generates SAML assertion, requests OAuth access token from SF and then returns the access token                                    | `user_id`, `client_id`, `scope`, `state` |\n\n- `user_id`: SuccessFactors _userId_\n- `client_id`: SuccessFactors OAuth client API key\n- `scope`: SuccessFactors hostname\n- `state`: SuccessFactors _companyId_\n- `redirect_uri`: OAuth callback URL (optional)\n\n\u003e ℹ️ The naming of these parameters might seem strange at first, but this is chosen to align with the parameters being sent in the implicit OAuth flow from Postman.\n\n\u003e ⚠️ If a specific keypair with the name '\u003ccompanyId\u003e-public.pem' and '\u003ccompanyId\u003e-private.pem' is present, this will be used to generate the SAML assertion. If not, by default it will use 'public.pem' and 'private.pem'.\n\n### Usage with Postman\n\n![Postman demo](docs/postman_demo.gif)\n\nFor each SF instance, create a separate Postman environment specifying the following variables:\n\n- hostname: hostname of SF API\n- company_id: SF instance ID\n- client_id: SuccessFactors OAuth client API key\n\nIn any collection or folder, set up 'Authorization' to `OAuth 2.0` and configure the like shown as follows:\n\n![Postman config](./docs/postman_config.png)\n\n\u003e **Remember** to select the correct Postman environment prior to requesting a new OAuth access token. As long as the token remains valid you can select different tokens that are held by Postman without the need to generate/request a new one.\n\n### Generate via CLI\n\n```shell\n$ sf-oauth --generate --companyId \u003cSF Company ID\u003e --hostname \u003cSF API hostname\u003e --clientId \u003cOAuth client API key\u003e --userId \u003cuserId\u003e [--ttl \u003cassertion validity in seconds\u003e]\n\nSAML Assertion...\n\nbase64 encoded SAML Assertion\n```\n\nOptional parameters:\n\n- `--ttl`: validity of the assertion in seconds (600 by default)\n- `--validate`: will request a bearer access token and validate it on by calling the SF OData API, this requires the argument `--companyId` to be provided as well.\n- `--raw`: will output the base64 encoded string only. This can be used in scripting or piping. For example 🪄 `$ sf-oauth --generate --companyId ... --raw | base64 -d`\n\nExample of generating a SAML assertion, requisting an access token with it and finally testing the access token by calling the SuccessFactors OData API:\n\n```shell\n$ sf-oauth --generate --companyId salesDemoXYZ --hostname apisalesdemo2.successfactors.eu --clientId NzNkYzk0NTljMTQ0NWEyOWMxNzUwYjdhOTdkOA --username piejanssens@example.com  --ttl 3600 --validate\nRequesting a SAML Bearer token...\nBearer token received 🎉\n{\n  access_token: 'eyJ0b2tlbkNvbnRlbnQiOnsiYXBpS2V5IjoiTnpOa1l6azBOVGxqTVRRME5XRXlPV014TnpVd1lqZGhPVGRrT0EiLCJzZlByaW5jaXBsZSI6IjEwMzI2NiNESVYjU0ZDUEFSVDAwMDUxMiIsImlzc3VlZEZvciI6InBqX25vZGVqcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE2NDc1MTI0NDU4OTIsImV4cGlyZXNBdCI6MTY0NzU5ODg0NTg5Mn0sInNpZ25hdHVyZSI6IklQSTEvbGh3dGtIeXFQTml0bzNIL05DL3hzSjFSMHBYM3hMOCt0RWlFN29OYnhveFVOc1lUOUlyMnorZlUxN0JEcFc2eWhHU1dPaERHRjJjUTQ3dVZGNHJGLzd2cXRPTlZGbWdvK2NGTDBNSUsxS1Axck1BK29DM0paU1ZOL2RTaWFzWXJUb1BrdnBkZ3BGcHN0U2VYc3lvajFxWTdVL1daSllhbDZzakd4WT0ifQ==',\n  token_type: 'Bearer',\n  expires_in: 85949\n}\nValidating the token...\nToken is valid  🎉\n```\n\n#### Argument Aliases\n\n| alias | argument       |\n| ----- | -------------- |\n| -g    | --generate     |\n| -n    | --newkeypair   |\n| -c    | --clientId     |\n| -u    | --userId       |\n| -i    | --companyId    |\n| -h    | --hostname     |\n| -v    | --validate     |\n| -t    | --ttl          |\n| -p    | --port         |\n| -r    | --raw          |\n| -d    | --dir          |\n| -l    | --learningOnly |\n\n### Check the OAuth client certificate's validity\n\n```shell\n$ sf-oauth --validate [--companyId]\nnotAfter=Mar  6 13:37:03 2032 GMT\n```\n\n### Learning Only Users\n\nThe SuccessFactors Learning OAuth token server is deprecated. Instead, you can use the SuccessFactors Platform token server to generate OAuth tokens even if the user does not exist in Employee Profile or Employee Central, a so-called learning-only user. For this use-case, use the `-l` or `--learningOnly` argument.\n\n## Contributing\n\nContributions are more than welcome! Please open an issue or a pull request.\n\nℹ️ To be able to execture the Node cli commands on your forked source code, run `npm link` from the root folder project.\n\n## Sponsorship\n\n[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/M4M7694D5)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpiejanssens%2Fsf-oauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpiejanssens%2Fsf-oauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpiejanssens%2Fsf-oauth/lists"}