salesforce rest api INVALID_SESSION_ID error

B

8

I am using salesforce rest api to access the salesforce account from my rails app.I created a remote access app and got the key N the id. I was able to authenticate the user and get the auth_token, instance url and all that. But, when I send request at "instance_url/services/data/v20.0" along with the access token , I get this error:

[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]

I have a developer salesforce account and have API enabled true for every profile, except for the "Authenticated website" profile(which is not accessible).

Please, can anybody help me with this?

I'm authenticating the user with following request

HTTParty.post "login.salesforce.com/services/oauth2/token";, :body=>{"grant_type"=>"authorization_code","code"=>"abc}","client_secret"=>"abc"‌, "client_id"=>"abc","format"=>"json","redirect_uri"=>"localhost:3000/salesforce/callback";}

which is returning signature, id, instance_url, issued_at, access_token and refresh_token

HTTParty.get "ap1.salesforce.com/services/data/v20.0";, :headers=>{"Authentication"=>"OAuth access_token", "Content-Type"=>"application/json"}

which responds with

[{"errorCode"=>"INVALID_SESSION_ID", "message"=>"Session expired or invalid"}]

Barter answered 23/5, 2011 at 9:32 Comment(1)

Do you have remote access properly configured in your Salesforce org? It might also help if you posted your login/query code. – Shinny 23/5, 2011 at 14:14

F

14

How are you passing the sessionId to the /services/data/v20.0 request?, if your access_token is abc123 then you need a http header of Authorization: OAuth abc123 in the request.

Fatsoluble answered 23/5, 2011 at 15:39 Comment(0)

M

3

API session in salesforce expires regardless if there are activities or not. to set the duration of each session go to Setup > Administration Setup > Security Controls > Session Settings>

the max is 8hours.

cheers!

Mise answered 23/5, 2011 at 19:45 Comment(1)

I don't think thats the problem bcoz the session time is set to 2hrs and i am sending the request immediately after getting the access_token...............Also I m gettin successful response if i send request for the api versions............."instance_url/services/data/"(with access_token wrapped up in the header) returns [{"label"=>"Winter '11", "url"=>"/services/data/v20.0", "version"=>"20.0"}, {"label"=>"Spring '11", "url"=>"/services/data/v21.0", "version"=>"21.0"}].............Anything else i shud look for??? – Barter 24/5, 2011 at 3:54

C

2

Additionally to the other possible problems identified by the other answers, the Lock sessions to the IP address from which they originated setting in Salesforce is a possible contributing factor to otherwise valid code. From the following Salesforce KB article:

Description
When "Lock sessions to the IP address from which they originated" is enabled, if an OAuth2 access token is used to perform a Salesforce REST API call, INVALID_SESSION_ID might be returned even if the token is obtained in the same Apex transaction.

Resolution
"Lock sessions to the IP address from which they originated" is strict, and internal IP addresses are not automatically whitelisted in this case. Since the login callout and subsequent REST API callouts might be performed via different internal IP addresses, INVALID_SESSION_ID might be returned when using the access token if the mentioned preference is enabled.

To solve this you may use the continuous IP enforcement feature (introduced in Summer '15):

Turn "Lock sessions to the IP address from which they originated" OFF,

Turn "Enforce login IP ranges on every request" ON,

Select the connected app's IP relaxation policy "Enforce IP restriction", and

Add Salesforce's internal IP range 10.0.0.0 to 10.255.255.255 to the list of profiles needing to use Salesforce's REST API.

or simply relax the IP restrictions:

Turn "Lock sessions to the IP address from which they originated" OFF, and

Select the connected app's IP relaxation policy "Relax IP restrictions"

Curtilage answered 3/5, 2019 at 7:48 Comment(0)

T

0

If you are using Oauth you need to use Refresh Token flow, on this error to get a new renewed token. Here are more details : http://wiki.developerforce.com/index.php/Digging_Deeper_into_OAuth_2.0_on_Force.com

Please search for "refresh token" in the WIKI page link above.

Terrapin answered 24/5, 2011 at 3:56 Comment(0)

K

0

Issues I ran into:

Make sure to include the scope "web" in the authorize request, e.g.

https://login.salesforce.com/services/oauth2/authorize?response_type=code&clientId=xxx&redirect_uri=http://www.example.com&scope=id+api+refresh_token+web
Use the instanceUrl that is returned in the authorize response. In my case this was https://eu2.salesforce.com and I always tried to use https://na1.salesforce.com which didn't work

Karlis answered 19/12, 2013 at 8:48 Comment(0)

S

0

Faced the same issue and in my case < > characters in the password were causing the problem.

Swale answered 15/7, 2016 at 5:6 Comment(0)

E

0

I am adding this answer because any of other answers above helped me. My problem was actually that I was using access_token as I received it in the JSON response during login.salesforce.com/services/oauth2/token requests.

You have to remove ID from access_token, as it is described in SalesForce documentation: "Substitute the ID for the token value"

Enliven answered 12/8, 2016 at 11:18 Comment(0)

B

0

Users connecting without connected App. You can try changing below setting in the setting tab. Set Follow Authorization header - ON

Blastomere answered 30/3, 2023 at 14:18 Comment(0)

Recommended topics

Hot tags