Mavensmate: Getting error client identifier invalid while authentication to salesforce

To those hacking MavensMate's source code to keep it alive: I strongly recommend you migrate to official Salesforce tooling, namely the VS Code extensions for Salesforce.

MavensMate's codebase has not been updated nor has it been audited for security since development ceased in 2017. Since that time, several of its dependencies have received critical security updates including the open source HTTP client MavensMate uses to transport your code to Salesforce servers – this means the version of MavensMate running on your machine has not received these security updates.

Further, earlier this month, one of MavensMate's contributors found a critical security vulnerability in one of MavensMate.app's dependencies that leaves a user's Salesforce credentials vulnerable to attack. Given the project was sunset in 2017 it was deemed safest to disable the Salesforce Connected App MavensMate used to issue OAuth tokens as well as deliver a final end of life OTA update.

So, once again, please do yourselves a favor and transition to official tooling that is receiving regular updates. This is in your best interest!

-Joe


MavensMate has reached its End Of Life. The connected app that it used to authenticate with Salesforce has been decommissioned, as indicated by the OAuth failure you see.

There is the chance it could be brought back to life if you were to supply a connected app client id to the Node process based on an examination of the core MavensMate package. It accepts an environment variable SFDC_OAUTH_CLIENT_ID, and simply uses the now unavailable client id if none is supplied. As Joe explains above, this puts you and all work done using MavensMate at risk of being maliciously exfiltrated due to a critical issue with the application that will not be patched, plus critical issues in dependencies.

The best choice would be to move to more modern tools like SFDX.


As Joe mentioned above, Mavensmate suffered from a serious CSRF & CORS vulnerability (conceived by @ralph-callaway; confirmed by myself) where any website could make requests against the localhost server. This essentially meant any website you visited could access the auth tokens for your authenticated orgs.

For Example, the following script will return the list of projects authenticated (doesn't get the token, but doing so isn't hard once you have this info)

fetch("http://localhost:56248/execute?command=list-projects", { "credentials": "omit", "headers": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3" }, "referrer": "http://localhost:56248/app/home", "referrerPolicy": "no-referrer-when-downgrade", "body": null, "method": "GET", "mode": "cors" })

NOTE: I'm only sharing this now because we have officially killed the Client Id and all tokens issued from it.

If you choose to continue using mavensmate (via your own build), then you MUST add CSRF protections and lock down CORS.

However, I'd recommend transitioning to the official salesforce vscode extension. I've put together a short guide on how this can be done with the lowest possible lift (IOW without having to change your file structure).