Salesforce 身份验证失败

我试图使用 OAuth 身份验证来获得 Salesforce 身份验证令牌,所以我引用了 维基文档,但是在获得授权代码之后,当我使用5个必需的参数发送一个 Post 请求时,我得到了以下异常

{"error":"invalid_grant","error_description":"authentication failure"} CODE 400
JSON = {"error":"invalid_grant","error_description":"authentication failure"}

我想这是个糟糕的请求。

PostMethod post = new PostMethod("https://login.salesforce.com/services/oauth2/token");
post.addParameter("code",##############);
post.addParameter("grant_type","authorization_code");
post.addParameter("redirect_uri","#################");
post.addParameter("client_id",this.client_id);
post.addParameter("client_secret",this.client_secret);
httpclient.executeMethod(post);
String responseBody = post.getResponseBodyAsString();
System.out.println(responseBody+" CODE "+post.getStatusCode());

请回复,如果例外已知?

84839 次浏览
小开

We had this issue as well.

Check your Connected App settings - under Selected OAuth Scopes, you may need to adjust the selected permissions. Our app primarily uses Chatter, so we had to add both:

  • Access and manage your Chatter feed (chatter_api)
  • Perform requests on your behalf at any time (refresh_token).

Again, your mileage may vary but try different combinations of permissions based on what your Application does/needs.

Additionally, the actual invalid_grant error seems to occur due to IP restrictions. Ensure that the server's IP address that is running the OAuth authentication code is allowed. I found that if the SFDC environment has IP restriction setting Enforce IP restrictions set (ABC2 -> ABC3 -> ABC4 -> Connected Apps), then each User Profile must have the allowed IP addresses as well.

小开

For anyone who is as stuck and frustrated as I was, I've left a detailed blog post on the entire process (with pictures and ranty commentary!). Click the link if you want that:

http://www.calvinfroedge.com/salesforce-how-to-generate-api-credentials/

Here is a text only answer:

Step 1:

Create an account. You can create a (free) developer account at developer.salesforce.com

Step 2:

Ignore all the landing pages and getting started crap. It's an endless marketing loop.

Step 3:

Click the "Setup" link

Step 4:

In the lefthand toolbar, under "Create", click "Apps"

Step 5:

Under "Connected Apps" click "New"

Step 6:

Fill out the form. Important fields are the ones marked as required, and the oauth section. Note that you can leave any url for your callback (I used localhost).

Step 7:

Be advised that Salesforce has crappy availability.

Step 8:

Press continue. You finally have your client_id key (labelled 'Consumer Key') and client_secret (labelled 'Consumer Secret').

Step 9:

But wait! You're not done yet; select 'Manage' then 'Edit Policies'

  1. Make sure IP relaxation is set to Relax IP restrictions,

  2. and make sure that Permitted Users is set to "All users may self-authorize.",

  3. and also make sure the your Security > Network Access > Trusted IP Ranges has been set

OAuth settings

Security > Network Access > Trusted IP Ranges

If you're concerned about disabling security, don't be for now, you just want to get this working for now so you can make API calls. Tighten permissions once you have everything working, one at a time, so you can figure out what setting is giving you authentication errors.

Step 10:

Celebrate! This curl call should succeed:

on production:

curl -v https://login.salesforce.com/services/oauth2/token \
-d "grant_type=password" \
-d "client_id=YOUR_CLIENT_ID_FROM_STEP_8" \
-d "client_secret=YOUR_CLIENT_SECRET_FROM_STEP_8" \
-d "username=user@wherever.com" -d "password=foo@bar.com"

on sandbox or test:

curl -v https://test.salesforce.com/services/oauth2/token \
-d "grant_type=password" \
-d "client_id=YOUR_CLIENT_ID_FROM_STEP_8" \
-d "client_secret=YOUR_CLIENT_SECRET_FROM_STEP_8" \
-d "username=user@wherever.com" -d "password=foo@bar.com"

Notes:

  • You shouldn't be doing password authorization if you're building a multi-tenant app, where users need to authorize their own application. Use the Oauth2 workflow for that.

  • You may need to pass in your security token appended to your password.

小开

To whitelist an IP address range follow these steps:

  1. Click Setup in the top-right
  2. Select Administer > Security Controls > Network Access from the left navigation
  3. Click New
  4. Add your ip address range
  5. Click Save
小开

Salesforce is requiring an upgrade to TLS 1.1 or higher by July 22, 2017 in order to align with industry best practices for security and data integrity: from help.salesforce.com.

try to add this code:

System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Another option is to edit your registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Check this link for more detailed answers: Default SecurityProtocol in .NET 4.5

小开

TL:DR

For OAuth 2 tokens if you login...

Story:

  1. I was following Salesforce "Set Up OAuth 2.0"
  2. Credentials were correct (many character by character checks)

  3. When I'd call curl https://login.salesforce.com/services/oauth2/token -d "...credentials..." it still failed with:

    {"error":"invalid_grant","error_description":"authentication failure"}

Solution:

Realized there are different OAuth environments when reading Digging Deeper into OAuth 2.0 in Salesforce specifically (emphasis added):

OAuth 2.0 Authentication Endpoints

OAuth endpoints are the URLs that you use to make OAuth authentication requests to Salesforce. When your application makes an authentication request, make sure you’re using the correct Salesforce OAuth endpoint. The primary endpoints are:

Instead of login.salesforce.com, customers can also use the My Domain, community, or test.salesforce.com (sandbox) domains in these endpoints.

Fix

Because I logged into my environment via test.salesforce.com switching to curl https://test.salesforce.com/services/oauth2/token -d "...credentials..." resulted in a "Congrats! (>^_^)> Give OAuth token response"

小开

Replace your Salesforce password with combination of the password and the security token. For example, if your password is "MyPassword" and your security token is "XXXXXX", you would need to enter "MyPasswordXXXXXX" in the password field.

If you do not have the security token you can reset it as below.

  • Go to Your Name --> My Settings --> Personal --> Reset My Security Token.
小开

You can call your APEX controller using Postman if you enter the Consumer Key and Consumer Secret in the Access Token settings - you don't need the Security Token for this.

Set up the Authorization like this screenshot...

Postman OAuth 2.0

And enter your credentials on the window after hitting the Get New Access Token button...

Get Access Token

Then hit the Request Token button to generate a token, then hit the Use Token button and it will populate the Access Token field on the Authorization tab where you hit the Get New Access Token button.

小开

I was banging my head against the desk trying to get this to work. Turns out my issue was copying and pasting, which messed up the " character. I went and manually typed " pasted that into the command line and then it worked.

小开

I tried many solutions above which did not work for me. However the trick that actually worked for me was to stop using curl and to use postman application to make the request instead.

By replicating the request in postman, with a POST request and the following params

  1. grant_type
  2. client_id
  3. client_secret
  4. username
  5. password

This solved the issue for me.

Just posting it here in case there are others who have tried all the possible solutions with no avail (like I did).

小开

I had the same error with all keys set correct and spent a lot of time trying to figure out why I cannot connect.

Finally I've found that in Setup -> Manage Connected Apps -> Click "MyAppName" -> Click "Edit Policies".

In the 'Permitted Users' field value "All users may self-authorize" should be set.

小开

Make sure your password only has alphanumeric characters in it.

小开

In addition to following the suggestions above, I found that Salesforce didn't like how axios was encoding data as JSON. I switched from the default JSON encoding to using qs to stringify and post as form data and that worked. Still not sure why Salesforce didn't like the JSON version, if anyone has better ideas I'm curious to learn more.

This worked:

axios.post(
url,
qs.stringify({
grant_type: "password",
username: process.env.USERNAME,
password: process.env.PASSWORD,
client_id: process.env.SF_ID,
client_secret: process.env.SF_SECRET,
}),
{ headers: "Content-Type": "application/x-www-form-urlencoded", },
)

This didn't:

axios.post(
url,
{
grant_type: "password",
username: process.env.SF_USERNAME,
password: process.env.SF_PASSWORD,
client_id: process.env.SF_ID,
client_secret: process.env.SF_SECRET,
}
);
小开

I had this problem and after trying several failed tutorials I came across a post that said Salesforce won't accept a password with special characters in it (!, @ ,#). I changed my password in Salesforce to one without special characters and finally got it to work.


提交答案