Salesforce DotNetOpenAuth / Oauth Remote Access Problems

Question

I'm trying to use Oauth to connect to salesforce from a .NET app. I'm using DotNetOpenAuth at the moment, and having no luck. I can get twitter / google etc to work fine, but when I create a new consumer service for Salesforce, it just gives me an error (400 / Bad Request)

I'm using the InMemoryTokenManager, but before I get shouted at, let me re-iterate that twitter et al work fine this way. I do intent to replace the inmemorytoken manager with a database implentation, but for now I just want to get it working.

The strange thing is, if I manually create the URL - https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=[consumer_key]&redirect_uri=[redirect_url] and enter it in the browser I end up at a salesforce page to authorise the app to access my account - the one I expect to see should everything work.

Is this expected behaviour? It seems like a security hole, but maybe I'm not understanding everything correctly.

Any ideas where I'm going wrong?

ConsumerCode - (well, the important part at least)

public static readonly ServiceProviderDescription ServiceDescription = new ServiceProviderDescription
{
    RequestTokenEndpoint = 
        new MessageReceivingEndpoint(
        "https://login.salesforce.com/services/oauth2/authorize", 
        HttpDeliveryMethods.GetRequest | 
        HttpDeliveryMethods.AuthorizationHeaderRequest),
    UserAuthorizationEndpoint = 
        new MessageReceivingEndpoint(
        "https://login.salesforce.com/services/oauth2/authorize", 
        HttpDeliveryMethods.GetRequest | 
        HttpDeliveryMethods.AuthorizationHeaderRequest),
    AccessTokenEndpoint = 
        new MessageReceivingEndpoint(
        "https://login.salesforce.com/services/oauth2/token", 
        HttpDeliveryMethods.GetRequest | 
        HttpDeliveryMethods.AuthorizationHeaderRequest),
    TamperProtectionElements = 
    new ITamperProtectionChannelBindingElement[] { 
    new HmacSha1SigningBindingElement() },
}; 

OAuthController.cs

if (this.SFTokenManager != null)
{
    var SF = new WebConsumer(SFConsumer.ServiceDescription, this.SFTokenManager);
    // Is Twitter calling back with authorization?
    var accessTokenResponse = SF.ProcessUserAuthorization();
    if (accessTokenResponse != null)
    {
        this.SFAccessToken = accessTokenResponse.AccessToken;
    }
    else if (this.SFAccessToken == null)
    {
        // If we don't yet have access, immediately request it.
        SF.Channel.Send(SF.PrepareRequestUserAuthorization());                    
    }
    return View("SFIn");
}
else
{
    return View("SFOut");
}

The line I get my 400 at is

// If we don't yet have access, immediately request it.
SF.Channel.Send(SF.PrepareRequestUserAuthorization());   

Answer 1

DotNetOpenAuth says its oAuth support is 1.0 & 1.0a, while you're trying to access the oAuth 2.0 service at salesforce, the 2 protocols are not compatible.

Answer 2

I know nothing about SalesForce, but from your message it looks like SalesForce uses OAuth 2.0. But you're using DotNetOpenAuth's OAuth 1.0(a) feature, which would explain why it's failing.

You might try using the OAuth 2.0 CTP version of DotNetOpenAuth and using the new API for OAuth 2.0 to see if that helps.

Answer 3

Sample of salesforce Rest API and .net http://danlb.blogspot.com/2010/10/salesforcecom-rest-api.html