function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Mallesh GMallesh G 

How to get Refresh Token

Hi There,
Let me know how to get Refresh token as part of OAuth wev server flow using REST API.

Thanks,
Mallesh.
ShashForceShashForce
Hi Mallesh,

These links should help:
https://www.salesforce.com/us/developer/docs/api_rest/Content/intro_understanding_refresh_token_oauth.htm
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US

If this answers your question, please mark this as the Best Answer for this post, so that others can benefit from this post.

Thanks,
Shashank
Sonam_SFDCSonam_SFDC
Mallesh,

Pls go through the H&T links which have code snippets for the REST calls you should be making to get token:
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US
https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_refresh_token_flow.htm&language=en_US#request_access_token
Mallesh GMallesh G
Hi, I know how to get new token if I have refresh token. My question is how to get that Refresh token itself. Here is my request to get Access token in Second leg of the OAuth flow. *:https://ap1.salesforce.com/services/oauth2/token?grant_type=authorization_code&code=aPrxaSyVmC8fBbfiEh0kIEVeRv1bZwol2GuRDNNyCFuY1.PgexBwrk1U2WcCQdzJoGSOG5gNKA%3D%3D&client_id=3MVG9Y6d_Btp4xp47CfwnPpxROveMOmYsD6CUgWuJJt6UGx1sxWv2zDy60F2TdLWpdhNt455Wo99SA3L8_gto&client_secret=5550999784070812948&redirect_uri=https://localhost/,myaplication/index.jsp * For this request I am getting response as below, which doesn't have Refresh Token value. *{"id":"https://login.salesforce.com/id/00D90000000o9vAEAQ/00590000001fLYkAAM ","issued_at":"1409011317682","scope":"full","instance_url":"https://ap1.salesforce.com ","token_type":"Bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjE5MCJ9.eyJleHAiOjE0MDkwMTE0MzcsInN1YiI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vaWQvMDBEOTAwMDAwMDBvOXZBRUFRLzAwNTkwMDAwMDAxZkxZa0FBTSIsImF0X2hhc2giOiJfWEt5T2k0WnVwc2ZYbjJxeENYeHBnIiwiYXVkIjoiM01WRzlZNmRfQnRwNHhwNDdDZnduUHB4Uk92ZU1PbVlzRDZDVWdXdUpKdDZVR3gxc3hXdjJ6RHk2MEYyVGRMV3BkaE50NDU1V285OVNBM0w4X2d0byIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iLCJpYXQiOjE0MDkwMTEzMTd9.kar9k08q7wkFmYYhPg9DiLd4AHSFYdKYJWPRYL1Sgun0ALiKOsMSNzOo-oKIU21ihNCs4xGocEMRIoP5g58l1sv5-x1NFnfNH_bfLy5zPxTGUBK-DzJT-nDQAitJxSxBzTH3oH_FUrkJWLfkZDUXvxEofrkfgQXHfzoTS9xA1VbM0vLeIZiPE2P7L4bVgw1L4sG5wbmgJNNRCC66usxTOXvXdJnfxhfa0UdHMsEExJv_BitH9SY6C0tZm10dJhR3180RrPl8cDZ5SbjXWmgZEbS9oq-W_bLbHCMf0tJL4TggdEFij22fQXk1WL2AiT5YLxmZphTk20Zf_B5FfB71ssUZ0RpfWw7cMoRTqqOWXsKyaifA-XlLlIxRIDPMvg0NdF4zJdfdZcHOvcN15eVq1_P0itfDMWpUDJ0tGfwYigA8rrv_QnBSPpexNu-joBrWNMnntB9KjvBonOggZVak3Ff0i9AINxKul4ajkIrYiO6fSlujhmg4jps8tUuaqaYonbpoET4clqkJ1UwcudQGS7I7Rr0U0jIdb8qszcpWCL-iUrG8tELCScrtTsSJrq_6PvNpl1NyHPjfBgLfDRhFkYEQ5ikLjEf3UCxPt6foz98se8gHEBeKuUR2ARw6z-pPMiXdmRFAAL8RZoQdV5pgEo0l5Wyu0O1N3YgRrGMpLzo","signature":"ZukbuG6QW4Mn3OXJ4KemiCM6ePYDaNVKPMEgfwqHDCs=","access_token":"00D90000000o9vA!AQIAQCW1AOUaJc8OYP985KMoNesMkA_hwtTjrD8KCb84_vc.fNWz8rKZDur.RFbu6Al5QNYnrtnc4ZFjqdacHjC0ADDpzgIa"}* So, let me know in which call I get initial Refresh token which can be used to generate access token when session is expired. Thanks, Mallesh.
Sonam_SFDCSonam_SFDC
Mallesh,

You seem to be using the user-agent  flow for OAuth(https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_user_agent_flow.htm&language=en_US), I've gone through the parameters you have got in response and looks like the scope you have selected is Full however, when I went through the doc - it says  the following:

The refresh token for the user-agent flow is only issued if you requested scope=refresh_token and one of the following circumstances is true:
The redirect URL uses a custom protocol.
The redirect URL is exactly https://login.salesforce.com/services/oauth2/success, or on a sandbox, https://test.salesforce.com/services/oauth2/success.

Can you have the scope set to refresh_token and see if that works?
AshwaniAshwani
Mallesh,

Anser to your question: How to get that Refresh token itself?

You get refresh token when you recieve access token. Both access token and  refresh token recieved together.  In salesforce integration you can not get refresh token alone. And set scope to "offline" also in connected app
Michael BellMichael Bell
On the off chance you are a n00b like me, I had the same issue.

https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_scopes.htm&language=en_US

You have to request these in the URI. In Addition, in your connected app you must assign these scopes in the admin, or you'll get a not allowed
Michael BellMichael Bell
Sonam, offline doesn't seem to be documented in that page I referenced above. I used api web id refresh_token ... Is this approximately correct for an external web app service?
TrustAssessments UserTrustAssessments User
I don't get this: @Ashwani. 

"You get refresh token when you recieve access token. Both access token and  refresh token recieved together.  In salesforce integration you can not get refresh token alone. And set scope to "offline" also in connected app"

I've freshly configured a new connected app. Now I need a refresh token. You say I'm supposed to get the access token and refresh token together. How do I get these? Could you give me a simple steps from scratch? You're not exactly answering the question. Its turining out to be the hen first or egg first kinda affair.
Raymond LaTulippeRaymond LaTulippe
This is a complete chicken and egg conversation. It would be much simpler if SalesForce created the first refreshToken when the connected app was created and the below policy was set and saved (or had a button on the manage connected app that gives them a refreshToken. Expecting a client, who may not be technically savvy to magically get a refreshToken (using code) to hand off to a third party for API connectivity seems a little much. Also as a developer of a third party wishing to input data for 1-n client(s) using a restful API behind a firewall, I do not want their username nor password.
  1. Refresh Token Policy: Refresh token is valid until revoked.
Ken Koellner @ EngagewareKen Koellner @ Engageware
I've been playing with auth and trying to get a refresh token. I got username/password to work but the sentence in the doc "The Web server OAuth authentication flow and user-agent flow both provide a refresh token that can be used to obtain a new access token.” implies that only those types of flows, not username/password provide refresh token.  I've been playing around with this request--
  
https://login.salesforce.com/services/oauth2/authorize
  
client_id:xyzzyg9rbsTkKnAUNPxvJNeDie.vUg87NuTTB.SAwQBUkFfw3_vXwR0LD3jeWm1GUUX9COwnESvMOYcF4Z8j2
response_type:token
redirect_uri:https://timetrade.com/whatIsTheURL
scope:id web

That gives me an HTML page from which I can follow a URL to loging in SF and then redirects and I can see the parameters in the URL (even thought the page does not exist)-- 
https://www.timetrade.com/whatIsTheURL#access_token=00D1I00000046ll%21ARMAQNe44jRF4BjJ1706GHd.uA_8lbBeT9gTAyTfp_cdJSKrPI.iBcQ9OI2i_How1iup7WTQE8dzuyiX78GB7nnst1ePGxQp&instance_url=https%3A%2F%2Fttkkcatdev-dev-ed.my.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00D1I00000046llUAA%2F0051I000000hAq6QAE&issued_at=1532637972363&signature=QwA7DqZuMWwm6TkxVdKuh6Usrve3PNF73a5jLNVMZY0%3D&scope=api+web+full&token_type=Bearer

But when I try to use the scope parameter to get a refresh token-- 
client_id:3MVG9g9rbsTkKnAUNPxvJNeDie.vUg87NuTTB.SAwQBUkFfw3_vXwR0LD3jeWm1GUUX9COwnESvMOYcF4Z8j2
response_type:token
redirect_uri:https://timetrade.com/whatIsTheURL
scope:refresh_token


I get this error-- 
error=invalid_scope&error_description=the%20requested%20scope%20is%20not%20available


I have the refresh token policy set to -- Refresh token is valid until revoked.

I have set the Selected OAuth Scopes to include the refresh_token scope.

Any idea why it does not like the scope:refresh_token parameter?
Ken Koellner @ EngagewareKen Koellner @ Engageware
I did get it to work by just hitting more docs and trying more stuff.

First request-- 
https://login.salesforce.com/services/oauth2/authorize
client_id:xyzzyg9rbsTkKnAUNPxvJNeDie.vUg87NuTTB.SAwQBUkFfw3_vXwR0LD3jeWm1GUUX9COwnESvMOYcF4Z8j2
response_type:code
redirect_uri:https://timetrade.com/whatIsTheURL
scope:refresh_token
That will give you an HTML page with a login to SF.  When you use the URL in that page to login and grant access to the app, it redirects to -- 
https://www.timetrade.com/whatIsTheURL?code=xyzzybOND3gL_2LanWKqJr2UGrUxYj_QyF0wyEv6_uVXY5wxc6qAXFovCO1C_.6H3wui9y4dBLQ%3D%3D
With that code you do another request-- 
https://login.salesforce.com/services/oauth2/token
client_id:xyzzyg9rbsTkKnAUNPxvJNeDie.vUg87NuTTB.SAwQBUkFfw3_vXwR0LD3jeWm1GUUX9COwnESvMOYcF4Z8j2
grant_type:authorization_code
redirect_uri:https://timetrade.com/whatIsTheURL
client_secret:xyzzy53467474526263
code:xyzzybOND3gL_2LanWKqJr2UGrUxYj_QyF0wyEv6_uVXY5wxc6qAXFovCO1C_.6H3wui9y4dBLQ==
%3D translated to =
That will return-- 
{
    "access_token": "xyzzyI00000046ll!ARMAQLJQnFOduGakfOPiuxCXSGr4jPK7RAMvJf79eHmazSi5aTK2F0CUafgClw.vJ_j_29kQDHn1z7EjJdlAQEON_qiMzEL7",
    "refresh_token": "xyzzy1hJJeETRTRP.QYd3Mbpt2P8_VFHWV3gHGnIXdELcjiQe_.IERkQHLUQaRH_Yjw_GlgsCtlD8sj72YuneL",
    "signature": "JTpuGvoRuLxCFgWeVGvAUR9zNwFUCzGYPxfYnK1l3/U=",
    "scope": "refresh_token",
    "instance_url": "https://ttkkcatdev-dev-ed.my.salesforce.com",
    "id": "https://login.salesforce.com/id/00D1I00000046llUAA/0051I000000hAq6QAE",
    "token_type": "Bearer",
    "issued_at": "1532639189188"
}


Please note that all the codes, keys, etc. in the above have been obfuscated by replacing several characters with xyzzy.



 
Raymond LaTulippeRaymond LaTulippe
I created my own token retrieval site for our API. If you need just a one-off deal you can use it to get a token. https://uat.sfapi.rmenet.com. The site has some documents on how to go about setting up a connected app and information on OAuth2. Like others have said it took lots of research through code and documents.
Yash Chandra 9Yash Chandra 9
If this helps, you have to ensure that under Connected Apps->Manage Connected Apps, you edit the App first and make sure that the "API (Enable OAuth Settings) has the "Selected OAuth Scopes" set correctly with "Perform requests on your behalf at any time (refresh_token, offline_acecess). Once i saved this setting, I started getting the refresh_token back in the response  for the request endpoint /oauth/token
Dhiraj BhujbalDhiraj Bhujbal

Hi Sonam,
 

I tried as you said to append the 'https://test.salesforce.com/services/oauth2/success' but it showed me the error 'error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration' 
will you please help to resolve this
Bill ChenBill Chen
I am writing a console tool to be deployed as a Windows service or scheduled by task scheduler.
I got a refresh token using these steps and tools and I hope this helps people who just want the refresh token.
I got inspired by the instructions here: "https://trailhead.salesforce.com/content/learn/projects/build-a-connected-app-for-api-integration/implement-the-oauth-20-web-server-authentication-flow".
Is this safe? SF says it's safe.
    From the above page: "Paste your connected app’s consumer secret. (The OpenID Connect Playground uses POST to submit information, meaning your client secret is not logged.)" 
1. Set up a connected app
    - with api auth enabled,  
    - Selected scope: Perform requests on your behalf at any time (refresh_token, offline_access)
    - Callback URL: https://openidconnect.herokuapp.com/callback (this is temporary, you should remove it after the refresh token is obtained.) 
    - IP Relaxation: Relax IP restrictions
    - Refresh Token Policy:Refresh token is valid until revoked
    - selected Web app, user agent flows
2. Open "https://openidconnect.herokuapp.com/" on a incognito or Private browser window.
    type in client_id, client_secrete
    Host is: https://login.salesforce.com
    The redirect url is read-only on the page. Check it's the same as the one you set in your connected app.
3. Press "Next"
    You'll prompted to login to your SF account and ask to grant access. Do that.
     You'll get an auth code, auto filled on the page.
4. Press "Next" for the tokens.
    Find the response from the right hand side of the page. Refresh token should be there. Keep it like a secret/password
5. Test the tokens:
   Access token test: expect a list of urls
 curl https://aquatics.my.salesforce.com/services/data/v52.0/ -H "Authorization: Bearer <your_access_token>" -H "X-PrettyPrint:1"
   Refresh token test: you should get a new/current access token
 curl -X POST  "https://login.salesforce.com/services/oauth2/token?grant_type=refresh_token&client_id=<your_clientid>&client_secret=<your_client_secret>&refresh_token=<your_refresh_token>"