function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Jeff Douglas (Personal)Jeff Douglas (Personal) 

OAuth Dance Randomly Failing with "client identifier invalid"

We are using the Databasedotcom Ruby gem (essentially a REST wrapper) to authenticate to salesforce. The OAuth dance is randomly failing (1 out of 25 attempts) with the following message: 

 

client identifier invalid

 

The code is almost boilerplace code for authentication:

 

def self.authenticate(username, password)
  config = YAML.load_file(File.join(::Rails.root, 'config', 'databasedotcom.yml'))
  client = Databasedotcom::Client.new(config)
  begin
    access_token = client.authenticate :username => username, :password => password
    {:success => 'true', :message => 'Successful sfdc login.', :access_token => access_token}
  rescue Exception => exc
    {:success => 'false', :message => exc.message}
  end
end

 

Any ideas what could be causing it to fail randomly?

 

Thanks

 

Jeff Douglas

Appirio & CloudSpokes

http://blog.jeffdouglas.com

 

 

Jeff Douglas (Personal)Jeff Douglas (Personal)

Fixed the issue! For the host URL, instead of using login.salesforce.com, use the actual pod. Something like na7.salesforce.com. 

 

Jeff Douglas

Appirio & CloudSpokes

http://blog.jeffdouglas.com
LVSLVS
Jeff, I came here from your blog. Shouldn't you mark your own answer as solution? LVS
wwuwwu

What you're describing sounds like this known issue for username/passwords oauth logins http://success.salesforce.com/issues_view?id=a1p30000000SbdPAAS.  Do you know if for a single failing user, the login fails every time?  Let me know if you've got a way to consistently reproduce the issue (we have a potential fix in the works for the known issue).
asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf

Thanks for the reply. The problem lingered on our site for a couple of weeks as I could not consistently reproduce the issue nor would it fail for the same users. I would just see it show up in our log files randomly and had a hard time tracking it down.

 

Sorry I couldn't provide more info.

 

Thanks

 

Jeff Douglas

Appirio & CloudSpokes

http://blog.jeffdouglas.com
SaraHasNoLimitsSaraHasNoLimits
Just FYI for anyone that might be reading this and having this same error. The error can also be reproduced (not randommly, but all the time) if you accidentally get the consumer key wrong. For example, I got the same error when the consumer key I was using was missing one single digit at the end of the long string (which I did not spot immediately). If you get this error, you might want to also check to make sure your consumer key and secret are indeed correct.
cheddar cheesecheddar cheese
Why is this an issue 6 years later?  All the prescriptions found don't work.

curl --insecure -v -c ./cookies.txt -d "grant_type=password" -d "client_secret=aGoodSecret" -d "username=cheddar.cheese@swansong.com" -d "password=aGoodSecretTheSecretToken" https://login.salesforce.com/services/oauth2/token

curl --insecure -v -c ./cookies.txt -d "grant_type=password" -d "client_secret=aGoodSecret" -d "username=cheddar.cheese@swansong.com" -d "password=aGoodSecretTheSecretToken" https://myInstance.salesforce.com/services/oauth2/token

*   Trying 136.147.40.44...
* TCP_NODELAY set
* Connected to login.salesforce.com (136.147.40.44) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=salesforce.com, inc.; OU=InfraSec; CN=login.salesforce.com
*  start date: Dec 15 00:00:00 2017 GMT
*  expire date: Dec 14 12:00:00 2020 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /services/oauth2/token HTTP/1.1
> Host: login.salesforce.com
> User-Agent: curl/7.61.1
> Accept: */*
> Content-Length: 126
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 126 out of 126 bytes
< HTTP/1.1 400 Bad Request
< Date: Tue, 13 Nov 2018 18:21:43 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: upgrade-insecure-requests
< Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
* Added cookie BrowserId="I5x6kqAhRuGiRg6AxPsf4A" for domain salesforce.com, path /, expire 1547317303
< Set-Cookie: BrowserId=I5x6kqAhRuGiRg6AxPsf4A;Path=/;Domain=.salesforce.com;Expires=Sat, 12-Jan-2019 18:21:43 GMT;Max-Age=5184000
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-ReadOnlyMode: false
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
<
{"error":"invalid_client_id","error_description":"client identifier invalid"}* Connection #0 to host login.salesforce.com left intact
 
Linked2MarkLinked2Mark
I have checked the Consumer Key and Consumer Secret character for character and they are corrext. I have also changed the login url to the instance url. Yet I am showing the same error. Pretty frustrating.
Sahira Espinal 4Sahira Espinal 4
For me it worked with the https://login.salesforce.com/services/oauth2/token URI. Follow the steps on this video and make sure you are not missing anything. 

https://www.youtube.com/watch?v=n73zJ6hC0No

Hope it helps!
Tim Moore 39Tim Moore 39
I think that https://login.salesforce.com/services/oauth2/token works for production but if you are connecting a Sandbox you'll need to get copy the the start of the URL on the login page of your sandbox like what 'Jeff Douglas' has suggested (na7.salesforce.com). Thanks Jeff, your advice fixed my 'client identifier invalid' error.