+ Start a Discussion
mikebzmikebz 

{"error":"invalid_grant","error_description":"authentication failure - Invalid Password"}

I am following the guidelines from the Chatter guide and somehow I can't get the OAuth to work. 

 

It's not working from Java or curl.   Here is what I am doing:

 

mike$ curl --form client_id=3MVG9yZ.WNe6bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxu5AjB4oT9kxi8SEhY --form client_secret=26542xxxxxxxxxxx78  --form grant_type=password --form username=xxxxxxxx@gmail.com --form password=xxxxxxx https://na11.salesforce.com/services/oauth2/token

 

What I am getting is:

{"error":"invalid_grant","error_description":"authentication failure - Invalid Password"}

 

I double checked and I am getting into na11 with the right password.  Is there anything else I need to do?

 

Here are the settings in my remote access:

 



Applicationchatter



Callback URLhttps://na11.salesforce.com/ConnectTest/oauth/_callback /// temp one



No user approval required for users in this organizationNot Checked

 


Best Answer chosen by Admin (Salesforce Developers) 
SuperfellSuperfell

You probably need to include your API security token with the password. See the help topics on identity confirmation.

All Answers

SuperfellSuperfell

You probably need to include your API security token with the password. See the help topics on identity confirmation.

This was selected as the best answer
mikebzmikebz

Bingo! however I was hoping that the tokens are done with when it comes to OAuth.  I guess not.

SuperfellSuperfell

They are if you use one of the interactive flows, but not for any programatic flow.

VishalAscVishalAsc

Hi Simon,

I am writing a .Net (GUI-less) application to talk to Chatter REST API.

And first problem I am facing is at getting OAuth token.

Every article about OAuth says that one has to provide callback URL where OAuth token will be provided. But when we are developing an application which cannot be reached from outside (through an URL), how can we get OAuth token?

 

What is the way to get OAuth token programatically?

 

Thanks,

Vishal

SuperfellSuperfell

You can use the username-password OAuth2 flow. there are details in the remote access parts of the online help, and on the blog.

chintachinta

Hi  Sir.

 

Nice ............

jarrett.sloanjarrett.sloan

Hi Simon, where'd you find the information about using just username and password? Long shot but hoping you remember.

stobestobe

Hi there

We have the problem of getting authenticated by our SF sandbox environment

When we exclude security token from password it obviously returns API sec. token required, which we expect  to happen

However when we DO include (append) the security token the sandbox returns 'invalid password', but the password is ok and we use that password while logging in the gui

 

How come?

 

thanks

Stefan

 

 

s-tobe@xubuntuXPS:~$ curl https://test.salesforce.com/services/oauth2/token -d grant_type=password&client_id=<clientid>&username=<username>&password=<password>' -H "X-PrettyPrint: 1"
{
  "error" : "invalid_grant",
  "error_description" : "authentication failure - Failed: API security token required"

s-tobe@xubuntuXPS:~$ curl https://test.salesforce.com/services/oauth2/token -d grant_type=password&client_id=<clientid>&username=<username>&password=<password><security token>' -H "X-PrettyPrint: 1"
{
  "error" : "invalid_grant",
  "error_description" : "authentication failure - Invalid Password"

KampfschnakeKampfschnake

Have you tried adding the client_secret?

sj99sj99

I'm having the same problem:

 

curl -X POST --verbose -d @datasj.txt https://login.salesforce.com/services/oauth2/token

 

datasj.txt:

grant_type=password&client_id=xxxxxxxxxxxx&client_secret=XXXXXX&username=santosh_joseph%40vht.com&password=xxxxxxXXXXXX

 

 

I do have the security token appened to the password.

doron.neumann1.3952396895070002E12doron.neumann1.3952396895070002E12
I had the same problem which I resolved setting the connected app "IP Restrictions" to "Relax IP restrictions"
Nrottam SinghNrottam Singh
Thanks, doron 
User password oauthentication flow work after change "IP Restrictions" to "Relax IP restrictions" setting 
Thanks again
Krati RajpurohitKrati Rajpurohit
im facing the same issue, when trying programatically

below is my code:
PostMethod post = new PostMethod("https://login.salesforce.com/services/oauth2/token");
            post.setParameter("grant_type","password");  post.setParameter("client_id","3MVG9ZL0ppGP5UrBtzV375FzNEKv4M0YHXq47vVM8O3rYjXp1VkxmcTRA_mpzUYB6vtedwwGS.3AG6lsiIODA");
            post.setParameter("client_secret",secretKey);
            post.setParameter("username","krati0009@gmail.com");
            post.setParameter("password","*****");
           // post.addParameter("redirect_uri",redirecturi);
            HttpClient httpclient = new HttpClient();
            httpclient.executeMethod(post);


my password has security key appended, still im getting the "invalid_client". kindly guide
Abhishek.JyotiAbhishek.Jyoti
@Krati,
Plz go to Create --> App --> Connected App. click on "connected app" then click on "Manage" button. On click, you have to change "IP Relaxation" setting to "Relax IP Restrictions". With this setting you can resolve such issue.

Thanks
Abhishek
Theodore SandsTheodore Sands
If you are authorizing against a sandbox, you have to use test.salesforce.com instead of login.salesforce.com.

Reference: https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_oauth_endpoints.htm?state=id
Gbolahan JolapamoGbolahan Jolapamo
I tried relaxing my IP, and used the format that includes my token: curl -v https://login.salesforce.com/services/oauth2/token -d "grant_type=password" -d "client_id=3MVG9KI2HHAq33Ry8PcGf8.fdLcF92S8496EX3rBaZ5_MeL7UE1wUPHOyY_1bHEHpqwWlmfvYCuVZF5S4CQS0" -d "client_secret=1234724115031080467" 
    -d "username=aaa@bbb.com" -d "password=ccccccxxxxxxxxxxx"

still having same problem:{"error":"invalid_grant","error_description":"authentication failure"}* Connection #0 to host login.salesforce.com left intact


i'm open to suggestions on what might be causing my error.
Felipe Oliveira 15Felipe Oliveira 15
I'm also having the same problem. I tried to change the IP rules, the sandbox url, etc.
Nothing worked.

Im still getting
{
    "error": "invalid_grant",
    "error_description": "authentication failure"
}

Any suggestions?
Felipe Oliveira 15Felipe Oliveira 15
I found a way

you need to change the Permitted Users to "All users may self-authorize"
Darshan Chhajed 7Darshan Chhajed 7
Hi All, I am getting the same error. I have tried following steps to resolve but still no luck.
1. I have changed IP relaxation to 'Relax IP Restriction' 
2. I have added trusted IP range for my org.
3. I have added login ranged to profile.
4. I have changed default login.salesforce.com url to test.salesforce.com/ myBaseUrl.salesforce.com

Still I am getting invalid grant error on sandbox.

Note- On production/dev org its working fine issue is when I try to connect to a sandbox. 
shibi priyadarshanshibi priyadarshan
Your password should not contain any special characters like # or &...
example pwd=jagan123
My connection String:
https://login.salesforce.com/services/oauth2/token?grant_type=password&client_id=<client_id>&client_secret=<client_secret>&username=<username>&password=pwdsecuritytoken

I gave like this. So, its worked for me.
Jeremy SmithJeremy Smith
What is your source for "Your password should not contain any special characters like # or &..."?  I know this one starts with $  I have a vendor integration account with a similar issue, but other accounts with the same profile connect with no problem.  I can tell my vendor to change his password in a few dozen places but I need some concrete evidence before taking up the fight.
Gbolahan JolapamoGbolahan Jolapamo
I think anyone trying to communicate with salesforce via curl enable cURL access from connected app settings in user profile. This might solve the issue. 
Sidney JonesSidney Jones
Hi All,
There are a few things that may cause Salesforce API integration login errors like "authentication failure" and "nexpected character encountered while parsing value: e. Path...". Here is check list to ensure a guaranteed solution:
1) Make sure you are passing the token URL into the AuthenticationClient.UsernamePasswordAsync if you are appending an security token with your password.
2) Make sure your token URL is pointing to the sandbox URL "https://test.salesforce.com/services/oauth2/token" or the product URL "https://login.salesforce.com/services/oauth2/token" if you are accessing a production environment.
3) Make sure you are using the correct security token, client id, and client secret as well as username and password credentials.
4) Make sure you assign the correct security protocol to ServicePointManager.SecurityProtocol. (i.e. SecurityProtocolType.Tls11). This needs to be set before you attempt to login.

Keep in mind this error can be related to multiple scenarios.

Hope this helps.
Thanks,
Sidney
Rajesh PurushothamanRajesh Purushothaman
Hi,

I am trying to call the SANDBOX and I cant get my OAuth to work.
I am using Curl to make the call. 

curl -v --cacert cacert.pem POST -H --URL 'https://test.salesforce.com/services/oauth2/token' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&client_id=<client_id>&client_secret=<client_secret>&username=<username>&password=<password><securitytoken>'

When I execute this command, this is the output that i am getting

* Rebuilt URL to: POST/
* Hostname was NOT found in DNS cache
* getaddrinfo(3) failed for POST:80
* Couldn't resolve host 'POST'
* Closing connection 0
curl: (6) Couldn't resolve host 'POST'
* Hostname was NOT found in DNS cache
*   Trying 136.147.58.45...
* Connected to test.salesforce.com (136.147.58.45) port 443 (#1)
* successfully set certificate verify locations:
*   CAfile: cacert.pem
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* Server certificate:
*        subject: C=US; ST=California; L=San Francisco; O=Salesforce.com, Inc; OU=Applications; CN=test.salesforce.com
*        start date: 2015-06-05 00:00:00 GMT
*        expire date: 2018-06-04 23:59:59 GMT
*        subjectAltName: test.salesforce.com matched
*        issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 Secure Server CA - G4
*        SSL certificate verify ok.
> POST /services/oauth2/token? HTTP/1.1
> User-Agent: curl/7.37.0
> Host: test.salesforce.com
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 251
>
* upload completely sent off: 251 out of 251 bytes
< HTTP/1.1 400 Bad Request
< Date: Fri, 07 Apr 2017 19:44:31 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss
< Content-Security-Policy: referrer origin-when-cross-origin
< Set-Cookie: BrowserId=_BCFUJXiSAunloQikTqmQw;Path=/;Domain=.salesforce.com;Expires=Tue, 06-Jun-2017 19:44:31 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, no-store
< X-ReadOnlyMode: false
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
<
* Connection #1 to host test.salesforce.com left intact
{"error":"invalid_grant","error_description":"authentication failure"}


This same command is working for Silverline person when he is executing from his local machine and not on Salesforce server.

Anyone knows what I should be checking for this issue?

Appreciate any help in advance.
 
Rajesh PurushothamanRajesh Purushothaman
I did some more digging. This is the version of CURL we have installed in our Cloverleaf box
 
#curl -V
curl 7.37.0 (powerpc-ibm-aix6.1.0.0) libcurl/7.37.0 OpenSSL/1.0.0g zlib/1.2.3 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz
 
TLS 1.1 and TLS 1.2 are supported since OpenSSL 1.0.1
 
So until we upgrade our CURL version or install the patch to support TLS 1.1 / 1.2, I won’t be able to make any progress.

I am able to connect to the SalesForce test webserver using my .Net code and connecting via TLS 1.1
Got the Token and Instance URL back
Bruce CostelloBruce Costello

Hi everybody, I am having a similar problem. I am actually able to get the acces token using the terminal like so:

curl -X POST \ https://login.salesforce.com/services/oauth2/token \ -d 'grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}'
(My PASSWORD is my password and SECURITY_TOKEN appended.) 

So far, so good. 

My problem comes when trying to use php curl to achieve the same, here is were I am stuck with the {"error":"invalid_grant","error_description":"authentication failure"} message.

Here is my code:
 

//USING CURL
 
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://login.salesforce.com/services/oauth2/token");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}");
curl_setopt($ch, CURLOPT_POST, 1);

$headers = array();
$headers[] = "Content-Type: application/x-www-form-urlencoded";
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$result = curl_exec($ch);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);

curl_close($ch);

debug($status); //(int) 400
debug($result); //'{"error":"invalid_grant","error_description":"authentication failure"}'
 

Any help would be appreciated. Here is the link to the same question on stackoverflow (http://stackoverflow.com/questions/43526224/migrating-curl-command-to-cakephp-3-0

Rajesh PurushothamanRajesh Purushothaman
Check your TLS version by enabling the verbose. 
I found the TLS 1.0 issue by doing so.
Bruce CostelloBruce Costello

Thanks Rajesh, I did that but I can't find anything wrong with the ouput. Here is what we got:

Verbose information:
* Hostname in DNS cache was stale, zapped
*   Trying 136.147.56.44...
* Connected to login.salesforce.com (136.147.56.44) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* SSL connection using TLSv1.0 / AES256-SHA
* Server certificate:
* 	 subject: C=US; ST=California; L=San Francisco; O=Salesforce.com, Inc; OU=Applications; CN=login.salesforce.com
* 	 start date: 2016-03-03 00:00:00 GMT
* 	 expire date: 2018-07-01 23:59:59 GMT
* 	 subjectAltName: login.salesforce.com matched
* 	 issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 Secure Server CA - G4
* 	 SSL certificate verify ok.
> POST /services/oauth2/token HTTP/1.1
Host: login.salesforce.com
Accept: */*
Content-Length: 230
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 230 out of 230 bytes
< HTTP/1.1 400 Bad Request
< Date: Thu, 20 Apr 2017 20:01:18 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss
< Content-Security-Policy: referrer origin-when-cross-origin
< Set-Cookie: BrowserId=K1PKNA3aSXWkdU7ZGGUzmA;Path=/;Domain=.salesforce.com;Expires=Mon, 19-Jun-2017 20:01:18 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, no-store
< X-ReadOnlyMode: false
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< 
* Connection #0 to host login.salesforce.com left intact
/src/Controller/Api/UsersController.php (line 236)
[
	'url' => 'https://login.salesforce.com/services/oauth2/token',
	'content_type' => 'application/json;charset=UTF-8',
	'http_code' => (int) 400,
	'header_size' => (int) 651,
	'request_size' => (int) 381,
	'filetime' => (int) -1,
	'ssl_verify_result' => (int) 0,
	'redirect_count' => (int) 0,
	'total_time' => (float) 0.907846,
	'namelookup_time' => (float) 0.001754,
	'connect_time' => (float) 0.186962,
	'pretransfer_time' => (float) 0.569475,
	'size_upload' => (float) 230,
	'size_download' => (float) 70,
	'speed_download' => (float) 77,
	'speed_upload' => (float) 253,
	'download_content_length' => (float) -1,
	'upload_content_length' => (float) 230,
	'starttransfer_time' => (float) 0.907774,
	'redirect_time' => (float) 0,
	'redirect_url' => '',
	'primary_ip' => '136.147.56.44',
	'certinfo' => [],
	'primary_port' => (int) 443,
	'local_ip' => '192.168.1.46',
	'local_port' => (int) 55882
]
 

 

Rajesh PurushothamanRajesh Purushothaman
Bruce,

I think you are having the same issue as I did. Please see the following line in your output.

* SSL connection using TLSv1.0 / AES256-SHA

This should say TLSv 1.1 (or) TLSv1.2 for SalesForce to reply the token.
The error message is misleading. I tested my code using an updated version of Curl and I was able to connect and get the Token back using the same code.

This is the output (giving partial data only) I got once I upgraded the Curl version.....see that I am now using TLSv1.2

* Rebuilt URL to: POST/
* Could not resolve host: POST
* Closing connection 0
curl: (6) Could not resolve host: POST
*   Trying 96.43.145.28...
* TCP_NODELAY set
* Connected to test.salesforce.com (96.43.145.28) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
 
Bruce CostelloBruce Costello
Thanks Rajesh, you were right. My local MAMP php uses TLS 1.0 and my terminal uses TLS 1.2 and that is why it worked there. On my production server we have TLS 1.2 and worked right away!

Here is (http://stackoverflow.com/a/31351605/4905076) an easy way to check what TLS version you have, maybe it could help someone else. 
Rajesh PurushothamanRajesh Purushothaman
Bruce,
Thanks for letting me know. I really had to fish around to find the cause when I had this issue.
Venkateswar Reddy MVenkateswar Reddy M
To those facing this (Authentication failure with InvalidGrant error) issue with Force.com-Toolkit-for-NET, adding below line just before UsernamePasswordAsync would help resolve - TLS version configuration.
//enable TLS1.1 and TLS1.2
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
await auth.UsernamePasswordAsync(consumerKey, consumerSecret, userName, password, loginURL);
Rajesh PurushothamanRajesh Purushothaman
Did you check your TLS version by enabling the verbose. 
Dave_BoyceDave_Boyce
password="[userpassword][security_token]" worked on the curl call.
Scott Wilson 44Scott Wilson 44
TLS! You know what would be really cool? If the API just simply told you in the error message that you're using the wrong version of TLS so that you don't waste hours spinning your wheels and reading through miles of forum threads that don't help.
rohit kumarrohit kumar

Abhishek.Jyoti is correct... change "IP Relaxation" setting to "Relax IP Restrictions". 
Nick D'Amico 17Nick D'Amico 17
I hope this helps someone... I was copying the curl example right out of the documentation (https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart_oauth.htm), but it wasn't working.

curl https://login.salesforce.com/services/oauth2/token -d "grant_type=password" -d "client_id=myclientid" -d "client_secret=myclientsecret" -d "username=mylogin@salesforce.com" -d "password=mypassword123456"

All I had to do was use single quotes around 'password=mypassword123456'.
Paul RitoPaul Rito
Thanks, Nick! Using single quotes worked immediately! Your answer should be at the top of this thread, not the bottom! 
Steve Berley [Left Propeller]Steve Berley [Left Propeller]
I'm running into this issue, but with a strange twist....

I have three users. 
  • All use the System Administrator profile, Salesforce licens as well as the same role and permission sets 
  • They're all using the same connected app client_id and client_secret.
  • The passwords are always appended to account's security token
  • IP Relaxation is set to: Relax IP restrictions
  • Permitted users is set to: All users may self-authorize
  • I can login to the UI with any of the user id/password combinations 
  • I have an older app still that relies on password+token to login and have verified that the tokens are all working as well.
One userid/password combination is always successful the other two always fail.  When I curl with either of the two that fail, I get the dreaded {"error":"invalid_grant","error_description":"authentication failure"} errors and the login history for those users shows a status of Invalid Password, even though the password and token test to be good.

The only difference I can think of is the login that works is one that was used to create the org.

Needless to say this is driving me batty...

What do you all suggest?

Steve 
Elver FlorezElver Florez
the integration with this system is crap, if so many people have the same problem it is not the fault of the people it is the fault of the system
AWS ConnectAWS Connect
or nobody reads the documentation
https://help.salesforce.com/articleView?id=000212208&language=en_US&type=1
Argenis PerezArgenis Perez

When I use this command

curl -X POST \ https://login.salesforce.com/services/oauth2/token \  -d 'grant_type=password&client_id=xxxxxx&client_secret=xxxxx&username=argenisperez2@gmail.com&password=xxxxxxxxx'

I receive the following error message:


curl: (1) Protocol " https" not supported or disabled in libcurl
curl: (6) Could not resolve host:  
 

Scott Harbaugh 33Scott Harbaugh 33
I was able to resolve this problem by changing my password to remove all special characters. After doing that I was able to log in using CURL, I tried most of the solutions on this page, it was not my TLS version, double or single quotes made no difference, I did not need a security token, but removing the "@ and !" chars from my password corrected it.
Srinivasu BonguSrinivasu Bongu
Hello, I am trying to authenticate using only client ID and client secret. Is it possible (or) do i have to authenticate using username-password flow? I have posted my question in the salesforce community. Please check it and let me know. 

Link: https://developer.salesforce.com/forums/?id=906F0000000g37xIAA#!/feedtype=SINGLE_QUESTION_DETAIL&dc=Developer_Forums&criteria=ALLQUESTIONS&id=9062I000000XlXzQAK