[SalesForce] OAuth web server flow – login redirect loop

We have an OAuth Web Server Flow setup in our SF managed package that is used to authenticate our web service with Salesforce for API access. When a user first opens our app in SF, a call is first made to the /services/oauth2/authorize endpoint with the client's Org ID and our client details. Salesforce then normally redirects the user to their remote access authorization page, asking the user to grant our app permission to access their org.

It seems that for a small few of our clients that are attempting to use our app within a sandbox, they get redirected to the Salesforce login page at test.salesforce.com, and entering their credentials simply logs them into Salesforce. Our callback URL is never sent the appropriate auth code.

It occurs somewhat rarely, as some sandboxes authorize without any issues.

Anyone have any ideas on how to diagnose this, or what might be happening?

Best Answer

This is a problem with the salesforce session negotiation on sandbox orgs that use My Domain. There is no fix but a workaround is possible:

upon arriving at the login page, don't login, but view the page source,
locate the hidden input tag and value attribute by searching for "r=,
copy the whole string after the = and paste it into an RFC URL decoder,

You now have the redirect URL that was supposed to go back to the org. And, regardless of having other browser sessions open or not (even in a chrome incognito window) one will see that the pod is wrong, for example it may show cs30 or cs17 even if your pod is cs1 in actuality.

Replace the wrong pod with the right pod, and paste that amended URL into the browser for it to complete the dance and return you into salesforce.

Related Solutions

[SalesForce] Why does OAuth2 authorization endpoint redirect to callback URL as if it were the SAML IdP

If you look at that response carefully, you'll see that the JavaScript actually makes a request of https://xxx.my.salesforce.com/, not your server. You need to follow one step further to see the request to your server. Here's an abbreviated version of what I just saw.

First, the initial OAuth request to a My Domain URL:

$ curl -v 'https://superpat-developer-edition.my.salesforce.com/services/oauth2/authorize?response_type=code&redirect_uri=...&client_id=...'
* ...
< HTTP/1.1 302 Found
< Location: https://superpat-developer-edition.my.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp?source=...

Following the redirect:

$ curl -v https://superpat-developer-edition.my.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp?source=...
* ...
< HTTP/1.1 200 OK
< ...
< 
<script>
var escapedHash = '';
var url = '/saml/authn-request.jsp?saml_request_id=...&saml_acs=...&saml_binding_type=HttpPost&Issuer=https%3A%2F%2Fsuperpat-developer-edition.my.salesforce.com&urlSource=1&RelayState=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fsource%3D...';
if (window.location.hash) {
   escapedHash = '%23' + window.location.hash.slice(1);
}
if (window.location.replace){ 
window.location.replace(url + escapedHash);
} else {;
window.location.href = url + escapedHash;
} 
</script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
...
</html>

Note - no server on that /saml/authn-request.jsp URL, so the request will go to https://superpat-developer-edition.my.salesforce.com/. Let's simulate it with curl and see what happens:

$ curl -v 'https://superpat-developer-edition.my.salesforce.com/saml/authn-request.jsp?saml_request_id=...&saml_acs=...&saml_binding_type=HttpPost&Issuer=https%3A%2F%2Fsuperpat-developer-edition.my.salesforce.com&urlSource=1&RelayState=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fsource%3D...'
* ...
< HTTP/1.1 200 OK
< ...
< 

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

    <body onload="document.forms[0].submit()">
        <noscript>
            <p>
                <strong>Note:</strong> Since your browser does not support JavaScript,
                you must press the Continue button once to proceed.
            </p>
        </noscript>

        <form action="https://ADFS.example.com/adfs/ls/" method="post">
            <div>
                <input type="hidden" name="RelayState" value="/setup/secur/RemoteAccessAuthorizationPage.apexp?source=..."/>                
                <input type="hidden" name="SAMLRequest" value="..."/>                

            </div>
            <noscript>
                <div>
                    <input type="submit" value="Continue"/>
                </div>
            </noscript>
        </form>

    </body>
</html>

And there's the request that's posted to the SAML endpoint you configured (in my case, https://ADFS.example.com/adfs/ls/). So - follow the chain one more link and you should see what's really happening.

[SalesForce] Pass parameters through Redirect URI in oauth flow, to know sandbox or regular

OAuth flows support an optional state parameter, which can be used in this situation:

state: Specifies any additional URL-encoded state data to be returned in the callback URL after approval.

See more in Developer Guide and Help pages.

Best Answer

Related Solutions

[SalesForce] Why does OAuth2 authorization endpoint redirect to callback URL as if it were the SAML IdP

[SalesForce] Pass parameters through Redirect URI in oauth flow, to know sandbox or regular

Related Topic