Auth0 Home Blog Docs

Sporadic error "invalid client id" when calling /delegation to get Salesforce access token

bug
salesforce
salesforce-api-deleg

#1

Here is my request:

POST https://mycompanyau.auth0.com/delegation

{
  "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "client_id": "[some valid client id]",
  "id_token": "[id token for the same client]",
  "api_type": "salesforce_api"
}

And I’m getting this error back:

{
  "error": "invalid_client_id",
  "error_description": "client identifier invalid",
  "statusCode": 400
}

I believe this error is coming from Salesforce, and Auth0 is just relaying it.
The likely cause of this issue (and solution) can be found here: http://blog.jeffdouglas.com/2012/12/21/oauth-dance-client-identifier-invalid/

In short, instead of requesting Salesforce access tokens from to login.salesforce.com (Salesforce) or test.salesforce.com (Salesforce Sandbox), Auth0 needs to go directly to the pod of the user to request for SF access token. (e.g. ap2.salesforce.com/services/oauth2/token instead of login.salesforce.com/services/oauth2/token. The pod of the user can be found from the user’s profile information.

I know that /delegation endpoint is considered deprecated, but I need to force a refresh of Salesforce access token because instructions from https://auth0.com/docs/tokens/idp is giving me expired Salesforce accesss tokens, and there’s no other way to do this as far as I am aware?


#2

I had faced similar issue and I am using nimbus OAuth2 client, to resolve the issue I had to set client_id and client_secret as custom params of the TokenRequest. It works well with the login.salesforce.com.


#3