+ Start a Discussion

Using the Refresh_Token

I retrieved the refresh_token and (for testing purposes) manually put the value into my code, compiled and run.


So in my code I have:


string uri = "https://login.database.com/services/oauth2/token?grant_type=refresh_token&client_id=" + clientid + "&client_secret=" + clientsecret + "&refresh_token=my refresh token

var webRequest = (HttpWebRequest)WebRequest.Create(uri);
webRequest.Method = "POST";

using (var response = webRequest.GetResponse() as HttpWebResponse)
                            if (webRequest.HaveResponse && response != null)
                                using (var reader = new StreamReader(response.GetResponseStream()))
                                    string result = reader.ReadToEnd();
                                    lblresult.Text += result ;

 But I get a Bad Request response.


Yet again, the salesforce documentation appears to contradict itself.


In the salesforce setup (under Security Controls/Session Settings) the max timeout value (in the Developer Edition at least) is 12 hours, which I believe is used to determine the valid period for a refresh token.


On the other hand:



The refresh token may have an indefinite lifetime, persisting until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server.


If 12 hours is the time limit, then that is truly useless. Hopefully someone can confirm that the time limit/session is unlimited.


The documentation at




indicates that:

Once Salesforce verifies the refresh token request, it sends a response to the application with the following response body parameters:








which is returned as 


{ "id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P",



So maybe someone can shed light on why I am getting the 

The remote server returned an error: (400) Bad Request.





You need to URLEncode the parameters when you build the URL. If that still doesn't work, then you'll want to read the response body that goes with the 400 error, that should have more info on whats wrong.

thanks. I'll try that tomorrow and see how I get on.

I don't think it is anything to do with the content of the url string and the parameters.


string uri = "https://login.database.com/services/oauth2/token?grant_type=refresh_token&client_id=" + clientid + "&client_secret=" + clientsecret + "&refresh_token=my refresh token


But I do think it may have something to do with the url that the request is being made to.


The documentation at:




indicates endpoints :


For authorization: https://login.salesforce.com/services/oauth2/authorize
For token requests: https://login.salesforce.com/services/oauth2/token



In my first app I was making a request to: https://login.database.com/........and getting the login screen.


I am under the impression that by using the Refresh Token I will be bypassing the login screen (as my objective is to have an automated system to extract the data). Maybe that isn't the case.


The documentation goes on to indicate (in relation to the Refresh Token):


The client application obtains a new access token by sending a POST request to the token request endpoint with the following request parameters:




Once Salesforce verifies the refresh token request, it sends a response to the application with the following response body parameters:


Since the endpoint url is "login" I'm now assuming that using the Refresh Token will, in fact, raise the login page (which is not what I want).


So, maybe someone could clarify :


1. If the use of the Refresh Token (to receive an authorization) does require the login page to be loaded and that once the correct login details are entered the Authorization Token is returned.




2. The use of the Refresh Token should just return an authorization token without the need to perform a login scenarion.


If the answer is "2" then I think the url I am calling is incorrect, whereas if the answer is "1" then what is the point of a Refresh Token if all it does is requires the user to manually login before receiving an authorization token.






If you have a refresh token, then you've already been through an interactive login process, and you can generate a new access token from your refresh token without any more UI. (so (2) in your list below)



What about the token endpoint?


The documentation states it is: https://login.salesforce.com/services/oauth2/token.......


which I've tried.


I also tried https://login.database.com/services/oauth2/token........


If I set the url to either as:






I get the login screen.



If I try either with services/oauth2/token in the path (with the required params) I get Bad Request.


If I try to extract any error content in 


using (var response = webRequest.GetResponse() as HttpWebResponse)


to get anything back, it fails so all I can get is a Bad Request error message.


The bottom line is, what is the correct url because I think I am calling the wrong url.











Found the solution.


In the settings for the Connected App set "Require Users to Login"


Set this to The First Time they use this application.


Jeez, you'd think they could have added this to the documentation.