Issues with connected App - {"error_description":"authentication failure","error":"invalid_grant"}

  • I've successfully implemented the oAuth2 authentication process using the Web Server Flow of the REST API between my application and Salesforce, and it's working great when connecting with a Developer Edition type Salesforce account.

    However, it's not working when trying to connect a test or prod environment type Salesforce account: I can't get an access token with the authorization code given by Salesforce since Salesforce gives me this error:

    {"error_description":"authentication failure","error":"invalid_grant"}

    Does anybody have an idea why it's not working ?

    Here's what I've done:

    Step 1 => OK => Redirect user to Salesforce

    Step 2 => OK => User logs in

    Step 3 => OK => User is redirected to our application with the authorization code

    Step 4 => NOT OK => We request an access token using the authorization code given by Salesforce

    We have tried it all (maybe not though :D): we have checked all the security configuration on our end and on the customer's end, we have checked for IP restrictions (no IP restriction is used), we have given our App "Full Access", but still no luck. We are receiving the authorization code which is encoded correctly and seems normal.

    Does anybody have an idea why it's not working ?

    Do you know if I need to validate our connected App before it can be used by test or prod type Salesforce accounts ?

    Thanks a lot for all your help in advance. Cheers Quentin

    NOTE : This is a duplicate of the following issue I guess, but it got no answer :(

    EDIT 1 :

    Here's the code I use ($instance is '' in our case):

        $url = $instance . '/services/oauth2/token?format=json';
        $postFields = array(
            'code' => $code,
            'grant_type' => 'authorization_code',
            'client_id' => $this->clientId,
            'client_secret' => $this->clientSecret,
            'redirect_uri' => $this->redirectURL);
        // Create the CURL object.
        $handle = curl_init($url);
        curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, FALSE);
        curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($handle, CURLOPT_FOLLOWLOCATION, TRUE);
        curl_setopt($handle, CURLOPT_POST, TRUE);
        curl_setopt($handle, CURLOPT_POSTFIELDS, $postFields);

    Did you take a look at this post : how are you building your CURL, can you post your CURL

    I have edited the question with my code :) Thanks for reaching out so quickly :) I have seen the post you're mentionning and it's not pertinent to my problem since I'm using the grant type "authorization_code" and not "password" :)

    invalid_grant happens only for 2 reasons 1) when there is an IP restriction or login hour restriction 2) user credentials are not valid. Assuming 2) is provided right can you check if there is any user/ IP restriction

    The following allowed IP range was already there for the user we're trying to use : "" to "". Also we have added the IP of our server as indicated in this link: Furthermore we have disable IP restrictions on our end for the connected App. Do you think we have to add another configuration part for the IP restrictions bit ?

    can you try to URLEncode the redirectURL, I saw somewhere that redirectURL has to be URLEncoded. when you say disabled IP restriction did you switch *IP Relaxation connected app setting to "Relax IP Restrictions"? Also not sure if you had a chance to look at this awesome cookbook : ( I am not too aware of PHP syntax and your app seems to be talking PHP with salesforce all over)

    I've tried with URLEncoded for the redirectURL and I've also tried to add the "CURLOPT_HEADER" attribute to false but neither of those tries worked... Yes I've set IP Relaxation connected app setting to "Relax IP Restrictions"... I'm going to try to send the parameters as GET parameters, not POST parameters, see if I have any luck. Do you see anything else I could try ?

    What permissions did you set for the account you are using to authenticate?

  • I feel pretty dumb answering my own question but that may help somebody someday.

    @Rao was totally right about that one so he deserves all the credit.

    In my "Edit 1", I was wrong about the content of $instance.

    It was not pointing to '', it was pointing to '' so it was normal to get an "authentication failure" error.

    So if you're experiencing the same problem, do check the URL you're sending the request to.

    Also look at the profiles assigned to the app.

    Man, I'd like to give you 70 up-votes for this one. Sometimes...

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used