Welcome to Shaun Luttin's public notebook. It contains rough, practical notes. The guiding idea is that, despite what marketing tells us, there are no experts at anything. Sharing our half-baked ideas helps everyone. We're all just muddling thru. Find out more about our work at bigfont.ca.

Salesforce REST API: Use the OAuth 2.0 Authentication Username-Password Flow

Tags: salesforce, powershell, fiddler, REST, OAuth2.0, .NET

The Successful Response

The goal of authentication is to receive an authentication_token

If we make a successful OAuth request, we will receive response like this:

id           : https://test.salesforce.com/id/00DR00MAU/005R000
issued_at    : 142622342386
token_type   : Bearer
instance_url : https://jr7.salesforce.com
signature    : 4OF4kF+6e3aVaasdfeaf3NJC9DXm69b2WaJMg=
access_token : 00DR0000001yLiD!ARIAQKLyhA5TIdbsntX_JuHHVI5VW83b8F_VFc_7BnVI

The most important part is the access_token. We use that for REST requests.

With Fiddler

The Raw POST

POST https://test.salesforce.com/services/oauth2/token HTTP/1.1
Host: test.salesforce.com
Content-Type: Application/x-www-form-urlencoded
Content-Length: 235



  • Include the Content-Type: Application/x-www-form-urlencoded header
  • Update the Content-Length property to the actual body length.
  • URL encode the username, password, etc in the request body.
  • Remove all line breaks from the request body.

With PowerShell

function Get-AuthorizationTokenWithUsernamePasswordFlow ($client_id, $client_secret, $username, $password, $security_token)
    Add-Type -AssemblyName System.Web

    $uri = "https://test.salesforce.com/services/oauth2/token";
    $grant_type = "password";

    $username = [System.Web.HttpUtility]::UrlEncode($username)
    $password = [System.Web.HttpUtility]::UrlEncode($password)

    $requestBody = "";
    $requestBody += "grant_type=$grant_type";
    $requestBody += "&client_id=$client_id";
    $requestBody += "&client_secret=$client_secret";
    $requestBody += "&username=$username";
    $requestBody += "&password=$password$security_token";

    Write-Host "Uri:" $uri
    Write-Host "Body:" $requestBody

    Invoke-RestMethod -Method Post -Uri $uri -Body $requestBody

# usage
$client_id = "";
$client_secret = "";
$username = "";
$password = "";
$security_token = ""

Get-AuthorizationTokenWithUsernamePasswordFlow $client_id $client_secret $username $password $security_token

With Internet Explorer

This requires a POST and is better with Fiddler or PowerShell.

Helpful Links

URL Encoder

  • http://meyerweb.com/eric/tools/dencoder/
  • for URL encoding stuff like passwords and usernames.

Salesforce OAuth Docs

  • http://www.salesforce.com/us/developer/docs/api_rest/
  • Getting Started... > Introducing... > Understanding Authentication...