I wanted to reduce our list of selected oauth scopes to the ones we actually need.  I create a test app with several scopes, then removed most of them, but the "Allow Access?" dialog still lists removed scopes more 20 mins after the scope change. 

Is there someway to force this dialog to refresh?

I have a connected app on Salesforce.  The OAuth flow has been working fine for over a year.  Now I want to add a new white listed url for local testing.  Our existing callback url for dev testing has always been http://localhost:3000/#/signup  now we want to add http://localhost:8080/#/signup as we are hosting the front end from tomcat in some cases. 

When we pass the updated callback url to the salesforce login page like so:
https://login.salesforce.com/services/oauth2/authorize?redirect_uri=http://localhost:8080/#/signup

After successful authorization it redirects to:
http://localhost:3000/#/signup

Are we limited to only 1 callback url entry for localhost?

 

Okta interupts the OAuth flow when users login to our application with their salesforce credentials.  The redirect back to our app with the auth code fails and redirects the user to their salesforce instance.  Has anyone dealt with an issue like this?

I have a connected app on Salesforce.  The OAuth flow has been working fine for over a year.  Now I want to add a new white listed url for local testing.  Our existing callback url for dev testing has always been http://localhost:3000/#/signup  now we want to add http://localhost:8080/#/signup as we are hosting the front end from tomcat in some cases. 

When we pass the updated callback url to the salesforce login page like so:
https://login.salesforce.com/services/oauth2/authorize?redirect_uri=http://localhost:8080/#/signup

After successful authorization it redirects to:
http://localhost:3000/#/signup

Are we limited to only 1 callback url entry for localhost?

 

We already got the API token for professional edition, but I have one more query 
i.e. We are using custom and SOAP and REST services in out APP, are that custom services work in professional edition ?

I'm interested if Salesforce plans on supporting the IETF BCP 212 (a.k.a. RFC 8252): https://tools.ietf.org/html/bcp212 It appears that Salesforce should support this best practice in order to increase security for mobile and desktop applications.

The best practice document recommends using a combination of the following techniques for mobile and desktop apps where the OAuth secret cannot be kept secure:

• Use the authorization code flow for native apps instead of the implicit grant flow (or user-agent flow as Salesforce calls it)
• Use the PKCE technique (https://tools.ietf.org/html/rfc7636) to prevent authorization code interception by other native apps
• Use external web browser for added security instead of embedded browsers for a better user experience that is more secure
• Instructs the native app to receiving the authorization code response by listening on local loopback address (i.e. http://127.0.0.1) or a registered custom scheme (i.e. myapp://oauth/salesforce or https://com.myapp.www/oauth/salesforce).

It looks like the Salesforce API is very close to supporting this. The current docs for "Web Server OAuth Authentication Flow" support code_challenge and code_verifier (PKCE), and it seems that the API allows me to ask for the refresh_token scope as long as I use PKCE, which is great.

The only problem I'm running into is that the settings page for my Connected App disallows the local loopback address (http://127.0.0.1) from being used because it's not https://.

The IETF BCP 212 notes in https://tools.ietf.org/html/bcp212#section-8.3
"Loopback interface redirect URIs use the "http" scheme (i.e., without Transport Layer Security (TLS)). This is acceptable for loopback interface redirect URIs as the HTTP request never leaves the device."

From what I can tell, Salesforce would be fully compatible with IETF BCP (aka RFC 8252) if an exception is made to allow redirect_uri to be http:// for the loopback IP (127.0.0.1).

Thanks for considering, I'm interested to hear if there will be official support and documentation for using this Best Current Practice.

It's also worth noting the BCP also un-recommends using the implicit grant flow for native apps: https://tools.ietf.org/html/bcp212#section-8.2

It's also worth noting that Google supports all the required parts for BCP 212, including the native/mobile app listening on 127.0.0.1:
https://developers.google.com/identity/protocols/OAuth2InstalledApp#creatingcred

As does the popular AppAuth set of auth libraries:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-Android
https://github.com/openid/AppAuth-JS/blob/master/README.md

As a workaround for now, on a desktop app I'm using a custom scheme (myapp://oauth/salesforce), which Salesforce allows and works, but that method leaves a blank page open in the user's browser after they auth, which is confusing (https://na30.salesforce.com/_ui/identity/oauth/ui/AuthorizationPage). If we can use an non-TLS loopback address (http://127.0.0.1/oauth/salesforce) we can provide a better user experience by having control over the authorization page.

I have implemented single sign on between my salesforce org and Identity Provider(i.e. okta). Its working as expected. But now i want Oauth access token for my implementation with existing SAML implementation. For this i am referring https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_oauth_SAML_bearer_flow.htm&language=en. I am sending post request to https://login.salesforce.com/services/oauth2/token with signed assertion. I have created connected app in salesforce org. I am using client id of connected app as an issuer in assertion.

Using this flow i am getting "Failed: Missing Consumer Key Parameter" under user Login History section.

Also i want to know about use of Oauth 2.0 token endpoint which gets generated after doing Single sign on setting in salesforce org using saml. I am talking about the flow which is mentioned in below link.
https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_oauth_web_sso_flow.htm&language=en

I want to use one of the two approaches mentioned above.Please help me on this.