[SalesForce] JWT Error – user hasn’t approved this consumer

I am trying to implement the OAuth 2.0 JWT Bearer Token Flow on my node.js app using these instructions, but I'm unable to authenticate successfully, getting this error:

{"error":"invalid_grant","error_description":"user hasn't approved this consumer"}

Details:

1) All users may self-authorize

2) I followed this answer, which states that I need to login first myself.

so I opened the following link using my browser: https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=my_client_id&redirect_uri=https://login.salesforce.com/services/oauth2/success

and authenticated, I was then redirected to https://login.salesforce.com/services/oauth2/success and got the following response in the URL:
https://login.salesforce.com/services/oauth2/success#access_token=my_access_token&instance_url=https%3A%2F%2Fmyorg.my.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00D1t0000gdfEA2%2F0051t000003gdfGIAAY&issued_at=1564389252266&signature=gdfgdfMa8SYkZu6Rn6K4iY%3D&scope=full&token_type=Bearer

3) OAuth Scopes includes:

Full Access

4) The redirect_uri used in the auth call matchs the callback uri registered for my app

Here's my code to authenticate:

function jwtLogin(){
    const jsforce = require('jsforce');
    const jwt = require("salesforce-jwt-bearer-token-flow");

    // create the connection to the org
    let conn = new jsforce.Connection();

    // load the private key for the token
    let privateKey = require('fs').readFileSync('./certificates/server.key', 'utf8');

    jwt.getToken({
      iss: 'my_Consumer_Key',
      sub: 'my_username',
      aud: 'https://login.salesforce.com',
      privateKey: privateKey
    }, function(err, response) {
        if (err) {
          console.error('error is: '+JSON.stringify(err));
        } else {
          conn.initialize({
            instanceUrl: response.instance_url,
            accessToken: response.access_token
          });
          console.log('Successfully connected to Org');
        }
      }
    );

    module.exports = conn;     
}

Under Login History, I see the following line: Failed: Not approved

What am I missing?

Best Answer

This was a policy issue related to Permitted Users under the Connected App, once I changed it from 'All users may self-authorize' to 'Admin approved users are pre-authorized' issue was resolved.

Related Solutions

[SalesForce] What’s the difference between these authentication endpoints

The different endpoints are used for different authentication flows, this is all covered in the REST API documentation.

The /authorize endpoint is used for the Web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow.

The /token endpoint is used for the Username-Password OAuth Authentication Flow and the OAuth Refresh Token Process.

Web Server OAuth Authentication Flow

The Web server authentication flow is used by applications that are hosted on a secure server. A critical aspect of the Web server flow is that the server must be able to protect the consumer secret.

In this flow, the client application requests the authorization server to redirect the user to another web server or resource that authorizes the user and sends the application an authorization code. The application uses the authorization code to request an access token. The following shows the steps for this flow.

User-Agent OAuth Authentication Flow

The user-agent authentication flow is used by client applications (consumers) residing in the user’s device. This could be implemented in a browser using a scripting language such as JavaScript, or from a mobile device or a desktop application. These consumers cannot keep the client secret confidential.

In this flow, the client application requests the authorization server to redirect the user to another Web server or resource which is capable of extracting the access token and passing it back to the application. The following shows the steps for this flow.

Username-Password OAuth Authentication Flow

The username-password authentication flow can be used to authenticate when the consumer already has the user’s credentials.

In this flow, the user’s credentials are used by the application to request an access token as shown in the following steps.

Warning
This OAuth authentication flow involves passing the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token will be issued.

OAuth Refresh Token Process

The Web server OAuth authentication flow and user-agent flow both provide a refresh token that can be used to obtain a new access token.

Access tokens have a limited lifetime specified by the session timeout in Salesforce. If an application uses an expired access token, a “Session expired or invalid” error is returned. If the application is using the Web server or user-agent OAuth authentication flows, a refresh token may be provided during authorization that can be used to get a new access token.

[SalesForce] Not getting the refresh token in OAuth

I think you need to specify the scope, like this:

https://na16.salesforce.com/services/oauth2/authorize?response_type=token&client_id=[your_client_id]&redirect_uri=https://login.salesforce.com/services/oauth2/success&display=touch&scope=full refresh_token

Specifically, this:

scope=full refresh_token

(This is what I use, and it works)

Best Answer

Related Solutions

[SalesForce] What’s the difference between these authentication endpoints

Web Server OAuth Authentication Flow

User-Agent OAuth Authentication Flow

Username-Password OAuth Authentication Flow

OAuth Refresh Token Process

[SalesForce] Not getting the refresh token in OAuth

Related Topic