I'm working on putting together a quick integration using OAuth, and stubbed out a POC in one Salesforce public Site that authenticates against another. Everything seems to work fine, except I don't get a refresh token back with my authorization. After looking through the documentation some more, it looks like you can only get a refresh token if you meet the following criteria:
- The redirect URI has a custom (non-https) scheme
- The redirect URL is exactly https://login.salesforce.com/services/oauth2/success, or on Force.com Sandbox, https://test.salesforce.com/services/oauth2/success.
How does this work for anyone that wants to redirect to a different domain using https? Would you need to manually force the user to reauthenticate via the dialog every time there is an expiration, or do you set up a non-secure endpoint for your redirect URI just to get refresh token?
Best Answer
The key to this depends on the flow you're using. The specific rules around redirect uris are specific to the User Agent flow. We won't hand out refresh tokens out to those urls if you're using that flow. If you use the webserver flow (response_type=code) and ask for the appropriate scopes, then things work better.
As far as your question about a non-secure endpoint, definetely not. The non-https schemes refer to custom schemes like myiphoneapp://callback