+ Start a Discussion
AgrajAgraj 

OAuth 2.0 Web Server Flow with HTTPS callback uri

Hi,

 

I've implemented Salesforce OAuth 2.0 Web Server flow and it works perfectly well with a HTTP callback uri. But when I use an HTTPS callback URI, the page on which the User Approves the app to use Salesforce asks for less permissions than what is shown for HTTP URI. 

 

The Remote Access Applications setup for both is exactly the same except the callback uri's ( obviously )

 

The page requesting the user to grant access for HTTP callback uri is asking for 3 permissions ( see https://www.dropbox.com/s/62qzsgev3nidw9o/developersalesforce.tiff

1. Access your basic information

2. Access and manage your data

3. Perform requests on your behalf at any time

 

While the same page for HTTPS callback uri is only asking the first two options and not the third one ( see https://www.dropbox.com/s/w0k92iu42wuudug/securesalesforce.tiff )

 

Because of this, I cannot refresh my access tokens and the request to refresh access token fails.

 

Any insights on this will be highly appreciated.

 

Regards,

Agraj

chuckmortimorechuckmortimore

Are you sure you've asked for all 3 scopes in your configuration on the server?

AgrajAgraj

Thanks chuck for the hint.

 

I'm not specifying any scope values while authorizing against Salesforce but the value of scope returned by "developer" and "secure" applications are different and therefore causing the problem. 

 

For developer the value of scope returned is "id api refresh_token"

For secure ( which is not working ) the value of scope is "id api".

 

Why is this so ? when documentation says that default value of scope would be "id api refresh_token"

 

What governs the value of scope returned ?

AgrajAgraj

Update: I manually added the scope parameter while sending authorization request. The HTTP request looks like

 

"https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id={my_client_id}&redirect_uri=https://{path_to_my_html}&state=myState&scope=id api refresh_token"

 

but the response that I get is

error=invalid_scope&error_description=the%20requested%20scope%20is%20not%20available

What could be the reason that scope=id api refresh_token is treated as an invalid_scope and why it is not available to me?

 

I tried sending scope='id api refresh_token' ..... values of scope within quotes but that also didnt helped and resulted in 

 

Unable to Access Page. The value of the "scope" parameter contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and resubmit. If the error still persists, report it to our Customer Support team. Provide the URL of the page you were requesting as well as any other related information. 

 

Any help will be highly appreciated. I'm kinda blocked because of this !!

AgrajAgraj

One more thing to note is that I messed up the Subject of this Problem. It should be User-Agent Flow and not Web Server Flow

 

Anybody succeded with implementing User-Agent flow with HTTPS callback uri ?

sfdcdev.wordpress.comsfdcdev.wordpress.com

Did you find any solution for this ?

chuckmortimorechuckmortimore

You should look at the Connected App as it's defined in Setup, and see if the refresh token scope is requested for the app

df02210df02210
It is now three years later after the thread starter originally posted the issue here, and I am running into the exact same problem. Wondering if anyone has found a solution.
Siarhei SirykSiarhei Siryk
Any solution?

Have the same issue with "state" parameter in OAuth2 flow

HTTP 500
Unable to Access Page
The value of the "state" parameter contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and resubmit. If the error still persists, report it to our Customer Support team. Provide the URL of the page you were requesting as well as any other related information. 
salesforce_user123salesforce_user123

Getting the same problem as Agraj, still no answers for this?
All scopes are on the salesforce config and my POST. Single token works fine just gives error when the POST asks for a refresh_token
Single token works for API queries etc until it expires

Admin Salesforce 91Admin Salesforce 91
Same problem as Agraj... I am going to see about flagging this in some other locations and see if we can drive a bit more traffic
Admin Salesforce 91Admin Salesforce 91
https://developer.salesforce.com/docs/atlas.en-us.api_placeorder.meta/api_placeorder/intro_understanding_user_agent_oauth_flow.htm

Under step 3 it reads the following:
refresh_token	Token that can be used in the future to obtain new access tokens.
Warning
This value is a secret. Treat it like the user's password and use appropriate measures to protect it.

The refresh token is only returned if the redirect URI is https://login.salesforce.com/services/oauth2/success or used with a custom protocol that is not HTTPS.
So I have no idea how to proceed but this would explain why it works on localhost.
I attempted to create a server that ran on the HTTP protocol but it wouldn't let me register it because it wasn't HTTPS
This issue isn't resolved but the last line about does seem to add some information about why it's null.