function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

.NET Authorization from Middleware

I'm writing middleware in WCF and trying to obtain an authorization token from salesforce for OAuth.

I'm posting to with the following data:


string postData = "client_id=" + key + "&client_secret=" + secret + "&redirect_url=http://localhost:1670/myservice.svc/callback" + "&grant_type=authorization_code";


SF keeps telling me "400 Bad Request"


Does anyone have any experience with this?

Pat PattersonPat Patterson

It looks like you're mixing a couple of the OAuth steps. You should start the OAuth exchange with a redirect to a URL something like


string url = "" + 
"response_type=code&client_id=" + key +

Note that the redirect URI is URL encoded.


This will take the user to the the login page to authenticate and then authorize the application. Salesforce will redirect the browser back to the redirect URI with a code parameter - this is the OAuth authorization code. You should then POST the authorization code back to to obtain the access token, instance URL etc. The POST body will be something like


string postData = "code=" + code + "&client_id=" + key + "&client_secret=" + secret + "&redirect_url=http://localhost:1670/myservice.svc/callback" + "&grant_type=authorization_code";

You'll get a JSON-encoded response of the form:



You should also take a look at Getting Started with the REST API - it has a complete worked example in Java, which you can probably adapt to your purposes.


Let us know how you get on...




Is there a way to circumvent user authorization?

Since this is middleware between a third-party application and salesforce, there won't be a user to do the authorization.

When setting up Remote Access in my salesforce account, there's a checkbox for "No user approval required". Can this circumvent the user based authorization?


Pat PattersonPat Patterson

If your app is not interactive, it can authenticate directly with username/password, posting a payload like this to :


string postData = "grant_type=password&client_id=" + key + "&client_secret=" + secret + "&username=" + username + "&password=" + password;

Note that in Winter '11 (the current version) you will need to whitelist your IP address. In Spring '11 (coming soon), you can append the API security token to the password and get a token without the whitelisting.


See this thread for much more discussion of getting a token from username/password.


Note also, this method should only be used in server-to-server integration - don't ever distribute code containing secrets and passwords.

Nikhil HasijaNikhil Hasija

What is the intent of the "No User authorization required" checkbox in the remote access setup?


Pat PattersonPat Patterson

If you check 'No user authorization required' then the user still has to authenticate, they just don't get the 'Do you want to allow this app to access your stuff?' screen.
Hi Pat,

As quite some time has elapsed since the last message on this thread, I wanted to check if there is any better mechanism to authenticate a middleware server to establish connection with Salesforce rather than using username/password.

My simple requirment is that in an organization there is a middleware server and all integration of backend systems with Salesforce needs to be done through this middleware server. Since this middleware will need to connect to Salesforce, is using the username/password flow only option? Can we leverage on webserver flow but without anyone having to manually authenticate and authorize it.

Also I was going through the document "The OAuth 2.0 Authorization Framework" at URL and it talks about an Authorisation Grant of "Client Credentials" type. Is this somethat that Salesforce supports and can be used in the scenario I mentioned above?

Any suggestions/pointers will be greatly apprecaited.

Ashish (

Pat PattersonPat Patterson
As Chuck mentioned on the Success Community thread (, you could maybe use the JWT Bearer Token flow for this:

We don't support Client Credentials grant type.