how to get a more permanent access token

Asked 25/3, 2014 at 17:40 Answered 25/3, 2014 at 21:16

The document at http://www.salesforce.com/us/developer/docs/api_rest/index_Left.htm#CSHID=quickstart_code.htm|StartTopic=Content%2Fquickstart_code.htm|SkinName=webhelp says

Salesforce uses authentication to allow users to securely access data without having to reveal username and password credentials.

but as far as I can tell, the only command that I can run to get an access_token is using my colleague's username and password like so

curl -d "username=yyyyyyy" -d "password=xxxxxxx" -d "client_id=zzzzzz" -d "client_secret=dddddddddd" -v -d "grant_type=password" https://login.salesforce.com/services/oauth2/token

and I have to regenerate that as the access_token keeps expiring. If it didn't, my colleague could just generate the token once and hand it off to me and be done with it.

How can I do this so he never has to give me his username/password AND my app will keep on working and working until he deletes the application from salesforce (which would hopefully invalidate the client_id and client_secret).

(That is how most APIs work at least so users don't have to give developers their username and password nor do we need to store username and password on production machines.) So how do we get this to work? OR are the docs completely wrong and I do need the user's login/password to access data even though that one line says otherwise.

Carnet answered 25/3, 2014 at 17:40 Comment(0)

Okay, this was rather annoying. In OAuth2, the proper way for an app that wants access to all data regardless of user and whether that user is logged in is grant_type=client_credentials which does not exist on Salesforce.

The work around is as follows

In the GUI, edit your app and in the "API (Enable OAuth settings)", add "Access and manage your data(api) or Full Access AND Perform requests at any time on your behalf (Refresh token)"
In the GUI, set the callback url to https://localhost/oauth (this is a hack and we will use this to our advantage later)
Now, go to the url (fill in the params with your data) https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=YOURCLIENTID&redirect_uri=https%3A%2F%2Flocalhost%2Foauth
Your browser will redirect you to https://localhost/oauth?code=YOURCODE NOTE: This code can only be used ONCE before you need to repeat step 3 and run again.
Run a POST request using the code in step 4 (the YOURCODE) to url https://login.salesforce.com/services/oauth2/token with the data in the body of grant_type=authorization_code&code=YOURCODE&client_id=YOURCLIENTID&client_secret=YOURSECRET&redirect_uri=https%3A%2F%2Flocalhost%2Foauth

NOTE: There are some %3Ds in the YOURCODE....you do not need to modify them and convert them to = and you can just leave them as is.

This now results in returning a refresh token you can use and the current access token you can use.

Now, just save the refresh token to your database (I am hoping it pretty much lasts until someone deletes the application and time will tell I guess).

Carnet answered 25/3, 2014 at 21:16 Comment(2)

I'm getting an error on step 5 instead of refresh and access tokens. The error I'm getting is: string(74) "{"error":"invalid_grant","error_description":"invalid authorization code"}" I've tried getting a new code from step 4, but same issue. – Chaunceychaunt 18/11, 2015 at 16:24

you need to converts Unicode to HTML Entities to use the code. You can use this tool: online-toolz.com/tools/unicode-html-entities-convertor.php – Luting 6/10, 2020 at 22:18

You can use a regular interactive OAuth login flow to get a refresh token which can be used to get new access tokens as needed. see https://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com for details.

Impalpable answered 25/3, 2014 at 17:44 Comment(7)

hmmm, it says it has to use the redirect url which I don't have a redirect url(for when I clicked new app in salesforce, I just put a fake url in there). I don't have an application yet and am testing nor will the application have a web page with any redirect url on it. Do you have a curl command I can run? – Carnet 25/3, 2014 at 19:29

You can only get a refresh token via an interactive login. You'll need a local redirect URI for your app. – Impalpable 25/3, 2014 at 19:39

my app is not a web application nor is it outside any firewall where salesforce can redirect back to it.....so this means my only way is to store the username/password in the application itself since I have no way to get a refresh access token? – Carnet 25/3, 2014 at 19:44

hmmmm, google has a way for native apps that don't have redirect urls for oatuh2 it looks like. salesforce doesn't have that? .... groups.google.com/forum/#!topic/google-latitude-api/I-tH5pdbYKY – Carnet 25/3, 2014 at 20:5

you can use a non-http redirect URI to trigger a callback to a native app from the browser. – Impalpable 25/3, 2014 at 20:22

I have an OSX demo of this, see github.com/superfell/zkSforce/tree/master/samples/OAuthDemo-OSX – Impalpable 25/3, 2014 at 20:23

I posted the way of doing this without a application with a webpage as an answer. it seems to work. – Carnet 25/3, 2014 at 21:16

Recommended topics

Hot tags