Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Salesforce returning "unsupported_grant_type"

We implemented OAuth 2.0 using Web Server Authentication Flow. It was working fine in October/November but all of a sudden it has stopped working. Whenever we try authorising another client the server return (400) Bad Request with the body

{"error":"unsupported_grant_type","error_description":"grant type not supported"}

grant_type is set as authorization_code which is definitely valid.

Is there any reason why OAuth would suddenly stop working?


This is how we have implemented OAuth:

First user is directed to: https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=blah.id&redirect_uri=https://domain.com/Web/Salesforce/Callback.aspx&scope=api%20refresh_token

User is prompted by Salesforce to login to their account.

Once user is authenticated Salesforce calls Callback.aspx, Callback.aspx requests refresh token on behalf of the client by making a POST request to: https://login.salesforce.com/services/oauth2/token with the payload:

grant_type=authorization_code&code=blah.code&client_id=blah.Id&client_secret=11111111&redirect_uri=https://domain.com/Web/Salesforce/Callback.aspx

Content type is definitely: application/x-www-form-urlencoded

like image 210
mob1lejunkie Avatar asked Jan 17 '13 05:01

mob1lejunkie


People also ask

What is refresh token in Salesforce?

After a client—via a connected app—receives an access token, it can use a refresh token to get a new session when its current session expires. The connected app's session timeout value determines when an access token is no longer valid and when to apply for a new one using a refresh token.

What is Grant_type Client_credentials?

With the client credentials grant type, an app sends its own credentials (the Client ID and Client Secret) to an endpoint on Apigee Edge that is set up to generate an access token. If the credentials are valid, Edge returns an access token to the client app.

What is Grant type in Salesforce?

To integrate an external web app with the Salesforce API, use the OAuth 2.0 web server flow, which implements the OAuth 2.0 authorization code grant type. With this flow, the server hosting the web app must be able to protect the connected app's identity, defined by the client ID and client secret.


1 Answers

After lot of fiddling around with fiddler figured out there was a space before grant_type=authorization_code in HTTP POST payload that was causing the issue.

Interestingly that space has been there in code base since July and this issue was first noticed on 14th Jan. It is possible Salesforce fixed a bug or made an internal change to reject space before grant_type=authorization_code.

like image 199
mob1lejunkie Avatar answered Oct 28 '22 22:10

mob1lejunkie