Here is my request:
POST https://mycompanyau.auth0.com/delegation
{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"client_id": "[some valid client id]",
"id_token": "[id token for the same client]",
"api_type": "salesforce_api"
}
And I’m getting this error back:
{
"error": "invalid_client_id",
"error_description": "client identifier invalid",
"statusCode": 400
}
I believe this error is coming from Salesforce, and Auth0 is just relaying it.
The likely cause of this issue (and solution) can be found here: OAuth Dance -- "client identifier invalid" with Salesforce.com
In short, instead of requesting Salesforce access tokens from to login.salesforce.com (Salesforce) or test.salesforce.com (Salesforce Sandbox), Auth0 needs to go directly to the pod of the user to request for SF access token. (e.g. ap2.salesforce.com/services/oauth2/token instead of login.salesforce.com/services/oauth2/token. The pod of the user can be found from the user’s profile information.
I know that /delegation endpoint is considered deprecated, but I need to force a refresh of Salesforce access token because instructions from https://auth0.com/docs/tokens/idp is giving me expired Salesforce accesss tokens, and there’s no other way to do this as far as I am aware?