Salesforce Authentication Failing

Asked 9/10, 2012 at 6:48 Answered 19/1 at 22:6

I am trying to use OAuth authentication to get the Salesforce Authentication Token, so I referred wiki docs, but after getting authorization code, when I make a Post request with 5 required parameters, I'm getting following exception

{"error":"invalid_grant","error_description":"authentication failure"} CODE 400
JSON = {"error":"invalid_grant","error_description":"authentication failure"}

which is I guess a bad request.

PostMethod post = new PostMethod("https://login.salesforce.com/services/oauth2/token");
post.addParameter("code",##############);
post.addParameter("grant_type","authorization_code");
post.addParameter("redirect_uri","#################");  
post.addParameter("client_id",this.client_id);
post.addParameter("client_secret",this.client_secret);
httpclient.executeMethod(post);
String responseBody = post.getResponseBodyAsString();
System.out.println(responseBody+" CODE "+post.getStatusCode());

Kindly reply, if exception known?

Runoff answered 9/10, 2012 at 6:48 Comment(4)

have you found solution? i am also facing same issue. – Somnambulate 6/4, 2013 at 9:13

Salesforce only allow us to use valid email domains i.e. no testing domains like yopmail.com, mailinator.com e.t.c. is allowed. – Runoff 6/4, 2013 at 17:7

How did you get the code – Codie 26/1, 2015 at 18:34

Check your IP Range. And go to Your Name --> My Settings --> Personal --> Reset My Security Token. You must append that token to password like: password+token. Try! – Nealon 25/8, 2020 at 4:47

225

For anyone who is as stuck and frustrated as I was, I've left a detailed blog post on the entire process (with pictures and ranty commentary!). Click the link if you want that:

http://www.calvinfroedge.com/salesforce-how-to-generate-api-credentials/

Here is a text only answer:

Step 1:

Create an account. You can create a (free) developer account at developer.salesforce.com

Step 2:

Ignore all the landing pages and getting started crap. It's an endless marketing loop.

Step 3:

Click the "Setup" link

Step 4:

In the lefthand toolbar, under "Create", click "Apps"

Step 5:

Under "Connected Apps" click "New"

Step 6:

Fill out the form. Important fields are the ones marked as required, and the oauth section. Note that you can leave any url for your callback (I used localhost).

Step 7:

Be advised that Salesforce has crappy availability.

Step 8:

Press continue. You finally have your client_id key (labelled 'Consumer Key') and client_secret (labelled 'Consumer Secret').

Step 9:

But wait! You're not done yet; select 'Manage' then 'Edit Policies'

Make sure IP relaxation is set to Relax IP restrictions,
and make sure that Permitted Users is set to "All users may self-authorize.",
and also make sure the your Security > Network Access > Trusted IP Ranges has been set

If you're concerned about disabling security, don't be for now, you just want to get this working for now so you can make API calls. Tighten permissions once you have everything working, one at a time, so you can figure out what setting is giving you authentication errors.

Step 10:

Celebrate! This curl call should succeed:

on production:

curl -v https://login.salesforce.com/services/oauth2/token \
  -d "grant_type=password" \
  -d "client_id=YOUR_CLIENT_ID_FROM_STEP_8" \
  -d "client_secret=YOUR_CLIENT_SECRET_FROM_STEP_8" \
  -d "[email protected]" -d "[email protected]"

on sandbox or test:

curl -v https://test.salesforce.com/services/oauth2/token \
  -d "grant_type=password" \
  -d "client_id=YOUR_CLIENT_ID_FROM_STEP_8" \
  -d "client_secret=YOUR_CLIENT_SECRET_FROM_STEP_8" \
  -d "[email protected]" -d "[email protected]"

Notes:

You shouldn't be doing password authorization if you're building a multi-tenant app, where users need to authorize their own application. Use the Oauth2 workflow for that.
You may need to pass in your security token appended to your password.

Taejon answered 18/3, 2015 at 0:38 Comment(19)

glad i made it all the way to Step 10, good call with the CURL debugging – Bobseine 18/3, 2015 at 18:47

Wow...Thanks a lot...Step 9 is simply superb which pulled me out of struggle – Drogue 3/6, 2015 at 19:1

Do we need to pass security token with password on using OAuth login ? I am getting same error invalid_grant – Disbelief 22/7, 2015 at 8:31

Great guide and it almost worked for me. The problem i got is that the url used in step 10 did not work because we have a subdomain. <my_domain> .my.saleforce.com. Hopefully no one else have do waste time on this. – Bypass 12/4, 2016 at 8:2

my issue was after all that your password can't contain certain special characters! wtg sf! – Synod 9/12, 2016 at 14:53

Changes as of Aug 2017: 1. In step 4, The "New Connected App" button is under Apps -> App Manager. 2. In step 9, I had to set up an actual trusted IP range. – Marrow 3/8, 2017 at 2:49

Does anyone have any clue where to get the security token? salesforce is so confusing. – Malti 30/8, 2017 at 16:57

@DanielZuzevich I found it by clicking the "me" icon at the top-right, selecting Settings, and then going to "Reset My Security Token" in the left sidebar. – Hallowmas 5/10, 2017 at 12:57

Step 9 worked for me as well; specifically, setting "Permitted Users" to "All users may self-authorize." Thank you! – Restate 4/1, 2018 at 20:59

Hallelujah!!! Thank you very much. Salesforce needs to take note - their documentation really needs improving. – True 18/6, 2018 at 9:55

I followed all the above steps but was still getting the invalid grant error, but in the user access log it said invalid password, even though I was using the correct password with the security token appended. Turned out my user didn't have sufficient permissions. So I just created a new user as the System Administrator profile and it all worked nicely :) Hope this helps somebody else – Wingover 3/8, 2018 at 14:35

Thanks so much, I keep coming back to this process every time I need to find that page. Can't believe how hard it is to navigate salesforce. – Tannate 22/10, 2018 at 15:34

@Brandt me too .. :) I am coming back to this answer everytime to solve the issue.. Everytime I try to upvote this answer , but I have already voted for it earlier :) – Superposition 1/2, 2019 at 10:11

Solve for special characters in login: use SOAP login described in the Bulk API Developer Guide > Quickstart where the login info is reference in a file like this: curl https... -H "Content-Type: text/xml; charset=UTF-8" -H "SOAPAction: login" -d @login.txt – Pancratium 4/2, 2019 at 20:59

Blog seems to be dead - archived copy here web.archive.org/web/20181226011555/http://www.calvinfroedge.com/… – Lanam 2/12, 2019 at 13:28

FWIW I had to do one thing differently. Some of these views were not accessible to me in the "Lighting" UI but I was able to do it in the "Classic" UI. Not sure why. Maybe this will help someone else. – Myranda 26/12, 2019 at 18:25

is the process same for SandBox account ?? – Forgetmenot 6/1, 2021 at 13:51

Just an FYI for new people. If you wanna follow this guide you must switch to "Salesforce Classic" mode. You can do this by clicking on your profile bubble at the top right of your screen. Why Salesforce is the way it is has yet to be determined. – Mechanist 12/1, 2021 at 21:43

Thanks for step 7. If only we could get the execs to read this before buying. – Chigetai 15/9, 2022 at 7:0

We had this issue as well.

Check your Connected App settings - under Selected OAuth Scopes, you may need to adjust the selected permissions. Our app primarily uses Chatter, so we had to add both:

Access and manage your Chatter feed (chatter_api)
Perform requests on your behalf at any time (refresh_token).

Again, your mileage may vary but try different combinations of permissions based on what your Application does/needs.

Additionally, the actual invalid_grant error seems to occur due to IP restrictions. Ensure that the server's IP address that is running the OAuth authentication code is allowed. I found that if the SFDC environment has IP restriction setting Enforce IP restrictions set (Setup -> Administer -> Manage Apps -> Connected Apps), then each User Profile must have the allowed IP addresses as well.

Wore answered 30/9, 2013 at 21:52 Comment(1)

Thanks... I had the same issue. The default for app is "Enforce IP Restriction" so you do need to relax this in Setup -> Administer -> Manage Apps -> Connected Apps... as above. – Gretagretal 18/6, 2014 at 13:51

TL:DR

For OAuth 2 tokens if you login...

At login.salesforce.com use https://login.salesforce.com/services/oauth2/token
At test.salesforce.com use https://test.salesforce.com/services/oauth2/token

Story:

I was following Salesforce "Set Up OAuth 2.0"
Credentials were correct (many character by character checks)
When I'd call curl https://login.salesforce.com/services/oauth2/token -d "...credentials..." it still failed with:

{"error":"invalid_grant","error_description":"authentication failure"}

Solution:

Realized there are different OAuth environments when reading Digging Deeper into OAuth 2.0 in Salesforce specifically (emphasis added):

OAuth 2.0 Authentication Endpoints

OAuth endpoints are the URLs that you use to make OAuth authentication requests to Salesforce. When your application makes an authentication request, make sure you’re using the correct Salesforce OAuth endpoint. The primary endpoints are:

Authorization—https://login.salesforce.com/services/oauth2/authorize

Token—https://login.salesforce.com/services/oauth2/token

Revoke—https://login.salesforce.com/services/oauth2/revoke (see Revoke OAuth Tokens for details on revoking access)

Instead of login.salesforce.com, customers can also use the My Domain, community, or test.salesforce.com (sandbox) domains in these endpoints.

Fix

Because I logged into my environment via test.salesforce.com switching to curl https://test.salesforce.com/services/oauth2/token -d "...credentials..." resulted in a "Congrats! (>^_^)> Give OAuth token response"

Buttonhole answered 18/4, 2018 at 18:40 Comment(0)

To whitelist an IP address range follow these steps:

Click Setup in the top-right
Select Administer > Security Controls > Network Access from the left navigation
Click New
Add your ip address range
Click Save

Quark answered 5/1, 2016 at 21:11 Comment(0)

Salesforce is requiring an upgrade to TLS 1.1 or higher by July 22, 2017 in order to align with industry best practices for security and data integrity: from help.salesforce.com.

try to add this code:

System.Net.ServicePointManager.SecurityProtocol = 
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Another option is to edit your registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Check this link for more detailed answers: Default SecurityProtocol in .NET 4.5

Pride answered 6/4, 2017 at 12:34 Comment(1)

Related github issue for a salesforce oauth provider github.com/TerribleDev/OwinOAuthProviders/issues/177 – Plattdeutsch 28/9, 2017 at 19:5

Replace your Salesforce password with combination of the password and the security token. For example, if your password is "MyPassword" and your security token is "XXXXXX", you would need to enter "MyPasswordXXXXXX" in the password field.

If you do not have the security token you can reset it as below.

Go to Your Name --> My Settings --> Personal --> Reset My Security Token.

Bandler answered 10/7, 2018 at 7:30 Comment(1)

This helped me. – Battik 11/2, 2021 at 4:33

You can call your APEX controller using Postman if you enter the Consumer Key and Consumer Secret in the Access Token settings - you don't need the Security Token for this.

Set up the Authorization like this screenshot...

Postman OAuth 2.0

And enter your credentials on the window after hitting the Get New Access Token button...

Get Access Token

Then hit the Request Token button to generate a token, then hit the Use Token button and it will populate the Access Token field on the Authorization tab where you hit the Get New Access Token button.

Ctesiphon answered 29/1, 2019 at 11:31 Comment(3)

Welcome to Stackoverflow, Explain your answer in detail with steps or code snippet if any, so that it will be helpful for everyone to understand. – Esophagus 29/1, 2019 at 11:51

updated original post with further instructions and another screenshot – Ctesiphon 30/1, 2019 at 14:52

I can't thank you enough for posting your instructions on retrieving the access token with Postman. The "Quick Start" instructions in the Salesforce "REST API Developer Guide" are unfortunately less than worthless when it comes to configuring Salesforce and retrieving the Access Token that is required for ALL of their CURL commands (Authorization: Bearer <the Access Token>). – Attorn 28/2, 2020 at 17:28

For my case, after follow 10 above steps but it still didn't work. It took me to so many time to check config util of my connected app. When I checked the Login History and I saw this:

There is a document about Username and Password Flow Disabled:

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_username-password_flow_blocked_by_default.htm&release=244&type=5

As the document, this flow will be disabled by default.

How to enable it?

Setting -> Identity -> OAuth and OpenId Connect Settings

After enable this option, my case was resolved.

Avalos answered 19/1 at 22:6 Comment(0)

I was banging my head against the desk trying to get this to work. Turns out my issue was copying and pasting, which messed up the " character. I went and manually typed " pasted that into the command line and then it worked.

Finned answered 23/2, 2019 at 16:31 Comment(0)

I had the same error with all keys set correct and spent a lot of time trying to figure out why I cannot connect.

Finally I've found that in Setup -> Manage Connected Apps -> Click "MyAppName" -> Click "Edit Policies".

In the 'Permitted Users' field value "All users may self-authorize" should be set.

Lipetsk answered 5/8, 2019 at 14:48 Comment(0)

Make sure your password only has alphanumeric characters in it.

Roi answered 4/8, 2020 at 16:42 Comment(0)

In addition to following the suggestions above, I found that Salesforce didn't like how axios was encoding data as JSON. I switched from the default JSON encoding to using qs to stringify and post as form data and that worked. Still not sure why Salesforce didn't like the JSON version, if anyone has better ideas I'm curious to learn more.

This worked:

axios.post(
  url,
  qs.stringify({
    grant_type: "password",
    username: process.env.USERNAME,
    password: process.env.PASSWORD,
    client_id: process.env.SF_ID,
    client_secret: process.env.SF_SECRET,
  }),
  { headers: "Content-Type": "application/x-www-form-urlencoded", },
)

This didn't:

axios.post(
  url,
  {
    grant_type: "password",
    username: process.env.SF_USERNAME,
    password: process.env.SF_PASSWORD,
    client_id: process.env.SF_ID,
    client_secret: process.env.SF_SECRET,
   }
);

Caisson answered 20/4, 2021 at 17:48 Comment(0)

I had this problem and after trying several failed tutorials I came across a post that said Salesforce won't accept a password with special characters in it (!, @ ,#). I changed my password in Salesforce to one without special characters and finally got it to work.

Interpolate answered 21/8, 2021 at 14:52 Comment(0)

-1

I tried many solutions above which did not work for me. However the trick that actually worked for me was to stop using curl and to use postman application to make the request instead.

By replicating the request in postman, with a POST request and the following params

grant_type
client_id
client_secret
username
password

This solved the issue for me.

Just posting it here in case there are others who have tried all the possible solutions with no avail (like I did).

Solomon answered 10/7, 2019 at 17:26 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

TL:DR

Story:

Solution:

OAuth 2.0 Authentication Endpoints

Fix

Recommended topics

Hot tags