[SalesForce] Salesforce OAuth Token IP Restrictions

Short version:
It seems that the access_token retrieved via OAuth is restricted to use only by the IP address that requested it. Is there a way to remove this restriction?

Long version:
I am attempting to run a website on a server outside of Salesforce and access an Apex REST API on a Salesforce instance.

Because Salesforce does not support the OPTIONS HTTP call, I'm trying to get around cross domain (CORS) issues using an PHP-based proxy on the server hosting the website.

What I'm finding is that while the access_token is passed through and access works fine when I run the proxy on localhost (which is where I requested the token from), when I upload it to the webserver I get a 401 return and a message indicating that that the token is invalid. To verify that it was IP related, I changed my IP (by tethering to my phone) and then found that the version on my localhost failed as well.

Based on the existence of this similar proxy, I think that this must be possible, but I can't figure out where.

I'm not sure if it matters, but these are portal users, authenticating via a connected app. I've tried setting the "Relax IP Restrictions" setting in the connected app, but this didn't work and seems to be for something different. I've looked all over through the Site, but didn't see any way of doing this.

So my question is: is there any way to set Salesforce to NOT restrict an OAuth access_token to the IP on which it was registered?

If not, then it would seem that there is no way to develop an external website that uses a REST API hosted on Salesforce.

Best Answer

The most likely cause is that you have 'Lock sessions to the IP address from which they originated' enabled in 'Session Settings' - uncheck that if it is checked and give it a try.

enter image description here

Related Solutions

[SalesForce] Calling REST API in Canvas with OAuth Webflow (GET)

Sorry for the delay in answering.

You can do this today with the SDK. There are examples in the SDK on how to use the OAuth method. Essentially, you use canvas to establish the OAuth authentication, and then use the SDK and the OAuth token to get the context portion of the signed request. With that, you can then make the cross domain calls, just as you would with signed request.

An example would be:

<DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>

<title>Test Page for OAUth User Agent</title>

<script type="text/javascript" src="/sdk/js/canvas-all.js"></script>

</head>
<body>
<script>

    if (self === top) {
        // Not in Iframe
        alert("This canvas app must be included within an iframe");
    }

    function contextCallback(msg){
    var html,context;
    if(msg.status !== 200){
      console.log (msg.status);
      return;
    }
    Sfdc.canvas.client.autogrow(Sfdc.canvas.oauth.client());
        Sfdc.canvas.byId('canvas-request-string').innerHTML = jsonSyntaxHighlight(msg.payload);
    }

     function jsonSyntaxHighlight(json) {
        if (typeof json != 'string') {
           json = JSON.stringify(json, undefined, 2);
        }
        json = json.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
        return json.replace(/("(\\u[a-zA-Z0-9]{4}|\\[^u]|[^\\"])*"(\s*:)?|\b(true|false|null)\b|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?)/g, function (match) {
            var cls = 'number';
            if (/^"/.test(match)) {
                if (/:$/.test(match)) {
                    cls = 'key';
                } else {
                    cls = 'string';
                }
                } else if (/true|false/.test(match)) {
                    cls = 'boolean';
                } else if (/null/.test(match)) {
                    cls = 'null';
                }
                   return '<span class="' + cls + '">' + match + '</span>';
             });
    }

    function clickHandler(e) {
        var uri;

        if (! Sfdc.canvas.oauth.loggedin()) {
            uri = Sfdc.canvas.oauth.loginUrl();
            console.log("Login URI: " + uri);
            // This uri is the outer parent window.
       Sfdc.canvas.oauth.login(
        {uri : uri,
        params: {
                  display : "touch",
          response_type : "token",
          client_id : "", //Add Your Consumer ID
          redirect_uri : encodeURIComponent("") //Add your Callback URL
        }});
        }
        else {
            Sfdc.canvas.oauth.logout();
        }
        return false;
    }

    // Bootstrap the pae once the DOM is ready.
    Sfdc.canvas(function() {
        // On Ready...
        var login    = Sfdc.canvas.byId("login"),
            loggedIn = Sfdc.canvas.oauth.loggedin();
        login.innerHTML = (loggedIn) ? "Logout" : "login";
        Sfdc.canvas.byId("access-token").innerHTML = (loggedIn) ? Sfdc.canvas.oauth.token() : "No Token";
        login.onclick=clickHandler;
    if(loggedIn){
      Sfdc.canvas.client.ctx(contextCallback, Sfdc.canvas.oauth.client());
    }
    });

</script>

<style>
    pre {white-space: pre-wrap;padding: 5px; margin: 5px; overflow:auto;width:auto;height:80%;}
      .string { color: green; }
      .number { color: darkorange; }
      .boolean { color: blue; }
      .null { color: magenta; }
      .key { color: red; }
</style> 

<h1 id="header">OAuth Canvas App</h1>
<div>
 <div>
    <a id="login" href="#">Login</a>
  </div>
  <div>
     Access Token: <span id="access-token"></span>
  </div>
  <div id="canvas-content">
    <h4>Once logged in through OAuth, you can see the JSON representation of Canvas Request below:</h2>
    <pre><code id="canvas-request-string"></code></pre>
 </div> 
 </div>
</body>
</html>

[SalesForce] One machine getting “unknown_error” during password OAuth flow — works elsewhere

Found the problem.

After enforcing TLS 1.2 in curl, the request works (using cURL 7.19.7):

curl --tlsv1.2 -v https://login.salesforce.com/services/oauth2/token -d "grant_type=password&client_id=myConsumerKey&client_secret=myConsumerSecret&username=me@example.com&password=myPassword"

and I get my access token:

{"access_token":"00D410000006auq!AQkAQHVvs3VVyxNQhWfNvHJMedPrxrIg5CmAfQuzLgcb4PLEkgFhAcglNbjc8edr.2YsuvYTj3.Zyq1bm3eMHNpiRoeSIx3o","instance_url":"https://na35.salesforce.com","id":"https://login.salesforce.com/id/00D410000006auqEAA/00541000000ZJOwAAO","token_type":"Bearer","issued_at":"1473378249214","signature":"dMgWG53P3sRvDmO/yfb8C9v6FOOpXLzSfxo5wxgrdz8="}

This is apparently related to Salesforce disabling TLS 1.0. I thought we'd be okay since we're running a high enough version of OpenSSL, but apparently that doesn't guarantee curl won't use one of the other supported versions of TLS! Learning is painful!

Thanks for the help.

Best Answer

Related Solutions

[SalesForce] Calling REST API in Canvas with OAuth Webflow (GET)

[SalesForce] One machine getting “unknown_error” during password OAuth flow — works elsewhere

Related Topic