MVC OAuth authentication with Salesforce returns to login page

Question

I'm trying to get a working example of authenticating an MVC application in .NET against Salesforce using their OAuth authentication workflow. I've been referencing this walkthrough which is fairly simple. It is very similar to getting Google authentication to work. It boils down to setting up the .NET MVC project with the individual account authentication template and spin up a new connected application in Salesforce. Then, add the Owin.Security.Providers library for Salesforce, adjust the Startup.Auth.cs a bit and include the ClientId and ClientSecret from the Salesforce app, and the Authorization and Token endpoints. The callback URL it suggests is http://localhost:[port]/signin-salesforce which is pretty similar to the callback URL used for Google authentication.

While I am redirected to Salesforce and can login, the handshake that returns me back to my MVC application seems to encounter an issue that I cannot nail down. I get redirected back to the Login page and .NET doesn't seem to be aware of my login info, although I definitely have an active session with Salesforce (the Salesforce dashboard will automatically log me in). In the code, things start to go sideways here:

// GET: /Account/ExternalLoginCallback

[AllowAnonymous]

public async Task<ActionResult> ExternalLoginCallback(string returnUrl)

{

    var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();

    if (loginInfo == null)

    {

        return RedirectToAction("Login");

    }

    //more code we never reach

}

loginInfo is always null. So, to figure out what sort of request is being sent to .NET, I turned to Fiddler and encountered a request against localhost:[port]/signin-salesforce with a bunch of parameters that get a curious response:

HTTP/1.1 302 Found

Location: /Account/ExternalLoginCallback?error=access_denied

Server: Microsoft-IIS/10.0

Set-Cookie: .AspNet.Correlation.Salesforce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

X-SourceFiles: =?UTF-8?B?YzpcdXNlcnNcc3RldmUuY2FtaXJlXGRvY3VtZW50c1x2aXN1YWwgc3R1ZGlvIDIwMTVcUHJvamVjdHNcU2FsZXNGb3JjZUludGVncmF0aW9uXFNhbGVzRm9yY2VJbnRlZ3JhdGlvblxzaWduaW4tc2FsZXNmb3JjZQ==?=

X-Powered-By: ASP.NET

Date: Fri, 20 May 2016 21:46:09 GMT

Content-Length: 0

Note the Location header, which tells .NET to redirect to /Account/ExternalLoginCallback with an error parameter of "access_denied". Enabling some tracing in Owin reveals that something is returning a 400 either in .NET or to .NET, but I don't know what.

So, that's where I'm at. A null logininfo object in my controller and evidence that something is going wrong in some web requests. I've perused several other related questions, but almost none focus on SalesForce and they provide answers that aren't really applicable (for instance, I have no Google+ API to enable). Any ideas on how to rectify this?

Answer 1

Seems like the redirect URL is needed to match the one on the Identity Server. As you are becoming redirected to the login page again, seems like the redirect URL might not be agreeing with the Client Secret and Client ID.

In the SalesForce Identity server, there will be a redirect URL that decides the path where you will get redirected to once the authentication is done. Sometimes, you also have to provide the URL with a Client ID and the secret to get completely authorized.