how to get a more permanent access token

Question

The document at http://www.salesforce.com/us/developer/docs/api_rest/index_Left.htm#CSHID=quickstart_code.htm|StartTopic=Content%2Fquickstart_code.htm|SkinName=webhelp says

Salesforce uses authentication to allow users to securely access data without having to reveal username and password credentials.

but as far as I can tell, the only command that I can run to get an access_token is using my colleague's username and password like so

curl -d "username=yyyyyyy" -d "password=xxxxxxx" -d "client_id=zzzzzz" -d "client_secret=dddddddddd" -v -d "grant_type=password" https://login.salesforce.com/services/oauth2/token

and I have to regenerate that as the access_token keeps expiring. If it didn't, my colleague could just generate the token once and hand it off to me and be done with it.

How can I do this so he never has to give me his username/password AND my app will keep on working and working until he deletes the application from salesforce (which would hopefully invalidate the client_id and client_secret).

(That is how most APIs work at least so users don't have to give developers their username and password nor do we need to store username and password on production machines.) So how do we get this to work? OR are the docs completely wrong and I do need the user's login/password to access data even though that one line says otherwise.

Answer 1

Okay, this was rather annoying. In OAuth2, the proper way for an app that wants access to all data regardless of user and whether that user is logged in is grant_type=client_credentials which does not exist on Salesforce.

The work around is as follows

1. In the GUI, edit your app and in the "API (Enable OAuth settings)", add "Access and manage your data(api) or Full Access AND Perform requests at any time on your behalf (Refresh token)"
2. In the GUI, set the callback url to https://localhost/oauth (this is a hack and we will use this to our advantage later)
3. Now, go to the url (fill in the params with your data) https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=YOURCLIENTID&redirect_uri=https%3A%2F%2Flocalhost%2Foauth
4. Your browser will redirect you to https://localhost/oauth?code=YOURCODE NOTE: This code can only be used ONCE before you need to repeat step 3 and run again.
5. Run a POST request using the code in step 4 (the YOURCODE) to url https://login.salesforce.com/services/oauth2/token with the data in the body of grant_type=authorization_code&code=YOURCODE&client_id=YOURCLIENTID&client_secret=YOURSECRET&redirect_uri=https%3A%2F%2Flocalhost%2Foauth

NOTE: There are some %3Ds in the YOURCODE....you do not need to modify them and convert them to = and you can just leave them as is.

This now results in returning a refresh token you can use and the current access token you can use.

Now, just save the refresh token to your database (I am hoping it pretty much lasts until someone deletes the application and time will tell I guess).