I am a newbie to Salesforce. I am planning on implementing username-password OAuth 2.0 flow in my iOS app. I am getting access_token after calling https://login.salesforce.com/services/oauth2/token API. Is this token long lived? It seems there is no way to refresh this access_token. Can I use this in future without having to refresh it?
[SalesForce] OAuth 2.0 username-password flow: Is the access token long lived
Related Solutions
Answering your questions in order:
- In the interactive web server/user-agent flows, the user submits their credentials directly to Salesforce, and the app receives the short-lived access token and, optionally, a long-lived refresh token. The refresh token is scoped to that application, and may be revoked by the user or an admin at any time, without any impact on other applications. The admin can even set policy for refresh tokens, choosing to invalidate them after some period of inactivity etc. This is not true of username/password - the user shares their Salesforce credentials with the application. If, at a later time, the user decides that they do not trust that app, they needs to change their password at Salesforce, and update any other apps that might be holding the username and password.
- The app is responsible for safely handling and, possibly, storing those credentials, which have much wider scope than the refresh token. It's not that the username/password flow is less secure than the interactive flows, it's that the responsibilities of the app are much greater, and the consequences, if the app does not fulfill those responsibilities, more severe.
- They are not sent as URL parameters, but posted as
application/x-www-form-urlencodeddata - see this article.
I would advise you to consider one of the interactive flows, and store the refresh token, or even JWT Bearer Token flow, where the app creates a signed token, rather than username-password, which should be considered a last resort, when no other option is available.
Please do below two corrections:
Set the content type on request
request.setHeader('Content-Type', 'application/x-www-form-urlencoded');
Correct the endpoint from https://login.salesforce.com/services/oauth/token to https://login.salesforce.com/services/oauth2/token
You have missed oauth2.
Also you need to encode the username and password.
Related Topic
- [SalesForce] OAuth 2.0 JWT Bearer Token Flow refresh_token
- [SalesForce] JWT Error – user hasn’t approved this consumer
- Unable to get oAuth access token for sandbox after making HTTP POST from postman. Access token is returned for Production environment
- Using Access Token from OAuth 2.0 Username-Password Flow to access data export page
Best Answer
You should check the operation response and handle any exception. If the response is an 401 containing this JSON:
, you could call a refresh_token flow like this :
However, you only get the refresh token from the Web server and User-Agent as is indicated here.
So, I think that after login using user-password flow, you should re-authenticate the user or change the flow.
Refresh Token
I recommend you to read this article of digging deeper into OAuth in force