I'm new to salesforce and I'm trying to obtain a access token with password grant,
I can successfully obtain the access token:
Request:
POST /services/oauth2/token HTTP/1.1
Host: .....my.salesforce.com
Content-Type: application/x-www-form-urlencoded
grant_type=password
&client_id=MY_CLIENT_ID
&client_secret=MY_CLIENT_SECRET
&username=some_email
&password=some_password
Response
{
"access_token": "some_token",
"instance_url": "https://......my.salesforce.com",
"id": "https://test.salesforce.com/id/00D260000001G7lEAE/00526000004wk0wAAA",
"token_type": "Bearer",
"issued_at": "1589009375588",
"signature": "Q9Au4839PUdEfCamO7Qvjereo9i+kjimpbR3tfVAeVw="
}
However when I introspect the access token
POST /services/oauth2/introspect HTTP/1.1
Host: ......my.salesforce.com
Content-Type: application/x-www-form-urlencoded
token=some_token
&token_type_hint=access_token
&client_id=MY_CLIENT_ID
&client_secret=MY_CLIENT_SECRET
Introspection response
{
"active": false
}
Why the token is not active?
Best Answer
The response of
{"active": false}
is only allowed in very specific context. From oAuth Introspection spec (RFC 7662):Even though one can't verify with certainty from merely reading your question, in your case it appears that the call is properly authorized, the token is active, it does exist on this server. That leaves the possibility of protected resource not being allowed to introspect this particular token. Indeed, the introspection privilege is the root cause of this issue.
In your connected app, if you select
Introspect All Tokens
, you'll see a valid response:SF doc does say that "By default, all connected apps can introspect their own tokens" and (presumably) this token was issued by this connected app. If the token was issued by the connected app in an org different from one that was doing the introspection, the requirement to grant introspection privileges by checking this option on the connected app would have been a fair ask. With the token being issued by the same app in the same org, the need to select
Introspect All Tokens
is either a documentation and/or implementation bug.