[SalesForce] OAuth API doesn’t send refresh token with custom redirect_uri

If I put this link in my web browser (I put them on separate lines for readability):

https://login.salesforce.com/services/oauth2/authorize
?response_type=token
&client_id=MY_CONSUMER_KEY
&redirect_uri=https://login.salesforce.com/services/oauth2/success

and log in, it redirects me to the redirect_uri appended with a hash of all the important information I need. I want to use my own redirect_uri, so I modified the callback URL field for the application, and modified my request:

https://login.salesforce.com/services/oauth2/authorize
?response_type=token
&client_id=MY_CONSUMER_KEY
&redirect_uri=MY_CUSTOM_URI

I can log in like I would in the previous example, and it redirects me correctly to my custom uri, but without the refresh token in the hash. Any ideas?

Best Answer

According to the docs:

The refresh token for the user-agent flow is only issued under one of the following circumstances:

The redirect URL uses a custom protocol.

The redirect URL is exactly https://login.salesforce.com/services/oauth2/success, or on Sandbox, https://test.salesforce.com/services/oauth2/success.

The redirect URL uses the http protocol and the host is localhost - e.g. http://localhost:8080/

User-agent flow is not intended for use with web apps (which is what it looks like you're trying to do). Use web server flow instead.

Related Solutions

[SalesForce] What’s the difference between these authentication endpoints

The different endpoints are used for different authentication flows, this is all covered in the REST API documentation.

The /authorize endpoint is used for the Web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow.

The /token endpoint is used for the Username-Password OAuth Authentication Flow and the OAuth Refresh Token Process.

Web Server OAuth Authentication Flow

The Web server authentication flow is used by applications that are hosted on a secure server. A critical aspect of the Web server flow is that the server must be able to protect the consumer secret.

In this flow, the client application requests the authorization server to redirect the user to another web server or resource that authorizes the user and sends the application an authorization code. The application uses the authorization code to request an access token. The following shows the steps for this flow.

User-Agent OAuth Authentication Flow

The user-agent authentication flow is used by client applications (consumers) residing in the user’s device. This could be implemented in a browser using a scripting language such as JavaScript, or from a mobile device or a desktop application. These consumers cannot keep the client secret confidential.

In this flow, the client application requests the authorization server to redirect the user to another Web server or resource which is capable of extracting the access token and passing it back to the application. The following shows the steps for this flow.

Username-Password OAuth Authentication Flow

The username-password authentication flow can be used to authenticate when the consumer already has the user’s credentials.

In this flow, the user’s credentials are used by the application to request an access token as shown in the following steps.

Warning
This OAuth authentication flow involves passing the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token will be issued.

OAuth Refresh Token Process

The Web server OAuth authentication flow and user-agent flow both provide a refresh token that can be used to obtain a new access token.

Access tokens have a limited lifetime specified by the session timeout in Salesforce. If an application uses an expired access token, a “Session expired or invalid” error is returned. If the application is using the Web server or user-agent OAuth authentication flows, a refresh token may be provided during authorization that can be used to get a new access token.

[SalesForce] Not getting the refresh token in OAuth

I think you need to specify the scope, like this:

https://na16.salesforce.com/services/oauth2/authorize?response_type=token&client_id=[your_client_id]&redirect_uri=https://login.salesforce.com/services/oauth2/success&display=touch&scope=full refresh_token

Specifically, this:

scope=full refresh_token

(This is what I use, and it works)

Best Answer

Related Solutions

[SalesForce] What’s the difference between these authentication endpoints

Web Server OAuth Authentication Flow

User-Agent OAuth Authentication Flow

Username-Password OAuth Authentication Flow

OAuth Refresh Token Process

[SalesForce] Not getting the refresh token in OAuth

Related Topic