Skip to main content

Invalid_grant Authentication Failure in Username-Password Oauth flow

Sometimes the delegated authentication is configured in the customer's org for the logged-in user. So when the username and password is given during login, the authentication will be done via delegated authentication server, not by salesforce.

We have seen a strange behavior in Username-Password OAUTH flow (Sept 6, 2018) when the request is made from API and Apex.

1. When OAUTH request made via api, You can pass external auth server password.

grant_type:password
username:username@gmail.com
password:password  // This can be external system password
client_id:3MV***log.W
client_secret:65***58

2. When OAUTH request made via apex, The password should be salesforce password along with security token. If the external system password is given, you will get the below error

13:26:23.1 (5805772)|CALLOUT_REQUEST|[74]|System.HttpRequest[Endpoint=https://****.my.salesforce.com/services/oauth2/token, Method=POST]
13:26:23.1 (357570230)|HEAP_ALLOCATE|[EXTERNAL]|Bytes:952
13:26:23.1 (357762371)|CALLOUT_RESPONSE|[74]|System.HttpResponse[Status=Bad Request, StatusCode=400]
13:26:23.1 (357794126)|HEAP_ALLOCATE|[74]|Bytes:85
13:26:23.1 (357836159)|STATEMENT_EXECUTE|[75]
13:26:23.1 (357942754)|HEAP_ALLOCATE|[75]|Bytes:70
13:26:23.1 (357975206)|HEAP_ALLOCATE|[75]|Bytes:75
13:26:23.1 (358011911)|USER_DEBUG|[75]|DEBUG|body:{"error":"invalid_grant","error_description":"authentication failure"}

So incase of this error, make sure that you supply the salesforce username along with security token.

grant_type:password
username:username@gmail.com
password:password  // This is only salesforce password and security token
client_id:3MV***log.W
client_secret:65***58

Comments