11

I have setup a connected app and want to use the OAuth JWT. Based on my understanding of the salesforce documentation only preauthorized client can use this flow to get an access token.

I have enabled "admin approved users are pre-authorized" setting in my connected and enabled certain profiles under this. the certificate and other settings required for this flow has been set up as well.

I still get the following error while trying to get an access token using the JWT token.

{ error_description: "user hasn't approved this consumer" error: "invalid_grant" }

the grant_type is set to "urn:ietf:params:oauth:grant-type:jwt-bearer" and assertion: "base64url-encoded JWT token"

Appreciate any help to get this working!

Samuel De Rycke
  • 9,550
  • 8
  • 45
  • 73
user7743
  • 181
  • 1
  • 5
  • 1
    Welcome to StackOverflow! Please upvote all useful answers, including those to others' questions. AND please "check" the best answer to your own questions. Thank You! – Larry K Mar 13 '17 at 19:55

2 Answers2

4

Based from the salesforce documentation:

The authorization server validates the JWT and issues an access_token based upon prior approval of the application.

It means you have to authorize the application at least once.

https://login.salesforce.com/services/oauth2/authorize?client_id=[clientId]&redirect_uri=[redirectUri]&response_type=code

You don't need to work on the redirectUri.

Vince Soliza
  • 41
  • 2
  • 1
    The client_id is the Salesforce Consumer Key for your app. The redirect_uri is the callback url from your app's OAuth settings within Salesforce. The redirect_uri used in the auth call must match a callback uri registered for your app but the uri does NOT have to work or do anything. Eg use https://foo.com in both places. – Larry K Mar 13 '17 at 19:52
  • Of course, use https://test.salesforce.com/... if you're in the test region. – Glen Mazza Jun 21 '17 at 22:44
3

"user hasn't approved this consumer" This is a common error caused when the user doesn't have a prior refresh_token associated with him/her.

The solution is to perform an Autorization grant (Web Server flow or User-Agent Flow) at least once.

I wrote in detail about it; look specifically at step #3 here - https://mannharleen.github.io/2020-03-03-salesforce-jwt/

That should solve the error.

human
  • 655
  • 7
  • 20
  • I've followed your steps, got the one time approval, created jwt and on the step to obtain the access code using the JWT, I am recieving an error { "error": "invalid_client", "error_description": "invalid client credentials" } this doesn't make sense, since according to Salesforce it means my client secret is wrong... but the one time authorization step went smoothly and that is the only time u need the secret.... – Dudi Jul 13 '22 at 11:36