These links should help: https://www.salesforce.com/us/developer/docs/api_rest/Content/intro_understanding_refresh_token_oauth.htm https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US
If this answers your question, please mark this as the Best Answer for this post, so that others can benefit from this post.
Pls go through the H&T links which have code snippets for the REST calls you should be making to get token: https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US#request_access_token
Hi,
I know how to get new token if I have refresh token. My question is how to get that Refresh token itself.
Here is my request to get Access token in Second leg of the OAuth flow.
*:https://ap1.salesforce.com/services/oauth2/token?grant_type=authorization_code&code=aPrxaSyVmC8fBbfiEh0kIEVeRv1bZwol2GuRDNNyCFuY1.PgexBwrk1U2WcCQdzJoGSOG5gNKA%3D%3D&client_id=3MVG9Y6d_Btp4xp47CfwnPpxROveMOmYsD6CUgWuJJt6UGx1sxWv2zDy60F2TdLWpdhNt455Wo99SA3L8_gto&client_secret=5550999784070812948&redirect_uri=https://localhost/,myaplication/index.jsp
*
For this request I am getting response as below, which doesn't have Refresh
Token value.
*{"id":"https://login.salesforce.com/id/00D90000000o9vAEAQ/00590000001fLYkAAM
","issued_at":"1409011317682","scope":"full","instance_url":"https://ap1.salesforce.com
","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjE5MCJ9.eyJleHAiOjE0MDkwMTE0MzcsInN1YiI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vaWQvMDBEOTAwMDAwMDBvOXZBRUFRLzAwNTkwMDAwMDAxZkxZa0FBTSIsImF0X2hhc2giOiJfWEt5T2k0WnVwc2ZYbjJxeENYeHBnIiwiYXVkIjoiM01WRzlZNmRfQnRwNHhwNDdDZnduUHB4Uk92ZU1PbVlzRDZDVWdXdUpKdDZVR3gxc3hXdjJ6RHk2MEYyVGRMV3BkaE50NDU1V285OVNBM0w4X2d0byIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iLCJpYXQiOjE0MDkwMTEzMTd9.kar9k08q7wkFmYYhPg9DiLd4AHSFYdKYJWPRYL1Sgun0ALiKOsMSNzOo-oKIU21ihNCs4xGocEMRIoP5g58l1sv5-x1NFnfNH_bfLy5zPxTGUBK-DzJT-nDQAitJxSxBzTH3oH_FUrkJWLfkZDUXvxEofrkfgQXHfzoTS9xA1VbM0vLeIZiPE2P7L4bVgw1L4sG5wbmgJNNRCC66usxTOXvXdJnfxhfa0UdHMsEExJv_BitH9SY6C0tZm10dJhR3180RrPl8cDZ5SbjXWmgZEbS9oq-W_bLbHCMf0tJL4TggdEFij22fQXk1WL2AiT5YLxmZphTk20Zf_B5FfB71ssUZ0RpfWw7cMoRTqqOWXsKyaifA-XlLlIxRIDPMvg0NdF4zJdfdZcHOvcN15eVq1_P0itfDMWpUDJ0tGfwYigA8rrv_QnBSPpexNu-joBrWNMnntB9KjvBonOggZVak3Ff0i9AINxKul4ajkIrYiO6fSlujhmg4jps8tUuaqaYonbpoET4clqkJ1UwcudQGS7I7Rr0U0jIdb8qszcpWCL-iUrG8tELCScrtTsSJrq_6PvNpl1NyHPjfBgLfDRhFkYEQ5ikLjEf3UCxPt6foz98se8gHEBeKuUR2ARw6z-pPMiXdmRFAAL8RZoQdV5pgEo0l5Wyu0O1N3YgRrGMpLzo","signature":"ZukbuG6QW4Mn3OXJ4KemiCM6ePYDaNVKPMEgfwqHDCs=","access_token":"00D90000000o9vA!AQIAQCW1AOUaJc8OYP985KMoNesMkA_hwtTjrD8KCb84_vc.fNWz8rKZDur.RFbu6Al5QNYnrtnc4ZFjqdacHjC0ADDpzgIa"}*
So, let me know in which call I get initial Refresh token which can be used
to generate access token when session is expired.
Thanks,
Mallesh.
You seem to be using the user-agent flow for OAuth(https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_user_agent_flow.htm&language=en_US), I've gone through the parameters you have got in response and looks like the scope you have selected is Full however, when I went through the doc - it says the following:
The refresh token for the user-agent flow is only issued if you requested scope=refresh_token and one of the following circumstances is true: The redirect URL uses a custom protocol. The redirect URL is exactly https://login.salesforce.com/services/oauth2/success, or on a sandbox, https://test.salesforce.com/services/oauth2/success.
Can you have the scope set to refresh_token and see if that works?
Anser to your question: How to get that Refresh token itself?
You get refresh token when you recieve access token. Both access token and refresh token recieved together. In salesforce integration you can not get refresh token alone. And set scope to "offline" also in connected app
Sonam, offline doesn't seem to be documented in that page I referenced above. I used api web id refresh_token ... Is this approximately correct for an external web app service?
"You get refresh token when you recieve access token. Both access token and refresh token recieved together. In salesforce integration you can not get refresh token alone. And set scope to "offline" also in connected app"
I've freshly configured a new connected app. Now I need a refresh token. You say I'm supposed to get the access token and refresh token together. How do I get these? Could you give me a simple steps from scratch? You're not exactly answering the question. Its turining out to be the hen first or egg first kinda affair.
This is a complete chicken and egg conversation. It would be much simpler if SalesForce created the first refreshToken when the connected app was created and the below policy was set and saved (or had a button on the manage connected app that gives them a refreshToken. Expecting a client, who may not be technically savvy to magically get a refreshToken (using code) to hand off to a third party for API connectivity seems a little much. Also as a developer of a third party wishing to input data for 1-n client(s) using a restful API behind a firewall, I do not want their username nor password.
Refresh Token Policy:Refresh token is valid until revoked.
I've been playing with auth and trying to get a refresh token. I got username/password to work but the sentence in the doc "The Web server OAuth authentication flow and user-agent flow both provide a refresh token that can be used to obtain a new access token.” implies that only those types of flows, not username/password provide refresh token. I've been playing around with this request--
client_id:xyzzyg9rbsTkKnAUNPxvJNeDie.vUg87NuTTB.SAwQBUkFfw3_vXwR0LD3jeWm1GUUX9COwnESvMOYcF4Z8j2
response_type:token
redirect_uri:https://timetrade.com/whatIsTheURL
scope:id web
That gives me an HTML page from which I can follow a URL to loging in SF and then redirects and I can see the parameters in the URL (even thought the page does not exist)--
I created my own token retrieval site for our API. If you need just a one-off deal you can use it to get a token. https://uat.sfapi.rmenet.com. The site has some documents on how to go about setting up a connected app and information on OAuth2. Like others have said it took lots of research through code and documents.
If this helps, you have to ensure that under Connected Apps->Manage Connected Apps, you edit the App first and make sure that the "API (Enable OAuth Settings) has the "Selected OAuth Scopes" set correctly with "Perform requests on your behalf at any time (refresh_token, offline_acecess). Once i saved this setting, I started getting the refresh_token back in the response for the request endpoint /oauth/token
I tried as you said to append the 'https://test.salesforce.com/services/oauth2/success' but it showed me the error 'error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration' will you please help to resolve this
I am writing a console tool to be deployed as a Windows service or scheduled by task scheduler. I got a refresh token using these steps and tools and I hope this helps people who just want the refresh token. I got inspired by the instructions here: "https://trailhead.salesforce.com/content/learn/projects/build-a-connected-app-for-api-integration/implement-the-oauth-20-web-server-authentication-flow". Is this safe? SF says it's safe. From the above page: "Paste your connected app’s consumer secret. (The OpenID Connect Playground uses POST to submit information, meaning your client secret is not logged.)" 1. Set up a connected app - with api auth enabled, - Selected scope: Perform requests on your behalf at any time (refresh_token, offline_access) - Callback URL: https://openidconnect.herokuapp.com/callback (this is temporary, you should remove it after the refresh token is obtained.) - IP Relaxation: Relax IP restrictions - Refresh Token Policy:Refresh token is valid until revoked - selected Web app, user agent flows 2. Open "https://openidconnect.herokuapp.com/" on a incognito or Private browser window. type in client_id, client_secrete Host is: https://login.salesforce.com The redirect url is read-only on the page. Check it's the same as the one you set in your connected app. 3. Press "Next" You'll prompted to login to your SF account and ask to grant access. Do that. You'll get an auth code, auto filled on the page. 4. Press "Next" for the tokens. Find the response from the right hand side of the page. Refresh token should be there. Keep it like a secret/password 5. Test the tokens: Access token test: expect a list of urls curl https://aquatics.my.salesforce.com/services/data/v52.0/ -H "Authorization: Bearer <your_access_token>" -H "X-PrettyPrint:1" Refresh token test: you should get a new/current access token curl -X POST "https://login.salesforce.com/services/oauth2/token?grant_type=refresh_token&client_id=<your_clientid>&client_secret=<your_client_secret>&refresh_token=<your_refresh_token>"
These links should help:
https://www.salesforce.com/us/developer/docs/api_rest/Content/intro_understanding_refresh_token_oauth.htm
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US
If this answers your question, please mark this as the Best Answer for this post, so that others can benefit from this post.
Thanks,
Shashank
Pls go through the H&T links which have code snippets for the REST calls you should be making to get token:
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US#request_access_token
You seem to be using the user-agent flow for OAuth(https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_user_agent_flow.htm&language=en_US), I've gone through the parameters you have got in response and looks like the scope you have selected is Full however, when I went through the doc - it says the following:
The refresh token for the user-agent flow is only issued if you requested scope=refresh_token and one of the following circumstances is true:
The redirect URL uses a custom protocol.
The redirect URL is exactly https://login.salesforce.com/services/oauth2/success, or on a sandbox, https://test.salesforce.com/services/oauth2/success.
Can you have the scope set to refresh_token and see if that works?
Anser to your question: How to get that Refresh token itself?
You get refresh token when you recieve access token. Both access token and refresh token recieved together. In salesforce integration you can not get refresh token alone. And set scope to "offline" also in connected app
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_scopes.htm&language=en_US
You have to request these in the URI. In Addition, in your connected app you must assign these scopes in the admin, or you'll get a not allowed
"You get refresh token when you recieve access token. Both access token and refresh token recieved together. In salesforce integration you can not get refresh token alone. And set scope to "offline" also in connected app"
I've freshly configured a new connected app. Now I need a refresh token. You say I'm supposed to get the access token and refresh token together. How do I get these? Could you give me a simple steps from scratch? You're not exactly answering the question. Its turining out to be the hen first or egg first kinda affair.
That gives me an HTML page from which I can follow a URL to loging in SF and then redirects and I can see the parameters in the URL (even thought the page does not exist)--
But when I try to use the scope parameter to get a refresh token--
I get this error--
I have the refresh token policy set to -- Refresh token is valid until revoked.
I have set the Selected OAuth Scopes to include the refresh_token scope.
Any idea why it does not like the scope:refresh_token parameter?
First request-- That will give you an HTML page with a login to SF. When you use the URL in that page to login and grant access to the app, it redirects to -- With that code you do another request-- %3D translated to =
That will return--
Please note that all the codes, keys, etc. in the above have been obfuscated by replacing several characters with xyzzy.
Hi Sonam,
I tried as you said to append the 'https://test.salesforce.com/services/oauth2/success' but it showed me the error 'error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration'
will you please help to resolve this
I got a refresh token using these steps and tools and I hope this helps people who just want the refresh token.
I got inspired by the instructions here: "https://trailhead.salesforce.com/content/learn/projects/build-a-connected-app-for-api-integration/implement-the-oauth-20-web-server-authentication-flow".
Is this safe? SF says it's safe.
From the above page: "Paste your connected app’s consumer secret. (The OpenID Connect Playground uses POST to submit information, meaning your client secret is not logged.)"
1. Set up a connected app
- with api auth enabled,
- Selected scope: Perform requests on your behalf at any time (refresh_token, offline_access)
- Callback URL: https://openidconnect.herokuapp.com/callback (this is temporary, you should remove it after the refresh token is obtained.)
- IP Relaxation: Relax IP restrictions
- Refresh Token Policy:Refresh token is valid until revoked
- selected Web app, user agent flows
2. Open "https://openidconnect.herokuapp.com/" on a incognito or Private browser window.
type in client_id, client_secrete
Host is: https://login.salesforce.com
The redirect url is read-only on the page. Check it's the same as the one you set in your connected app.
3. Press "Next"
You'll prompted to login to your SF account and ask to grant access. Do that.
You'll get an auth code, auto filled on the page.
4. Press "Next" for the tokens.
Find the response from the right hand side of the page. Refresh token should be there. Keep it like a secret/password
5. Test the tokens:
Access token test: expect a list of urls
curl https://aquatics.my.salesforce.com/services/data/v52.0/ -H "Authorization: Bearer <your_access_token>" -H "X-PrettyPrint:1"
Refresh token test: you should get a new/current access token
curl -X POST "https://login.salesforce.com/services/oauth2/token?grant_type=refresh_token&client_id=<your_clientid>&client_secret=<your_client_secret>&refresh_token=<your_refresh_token>"