I’m encountering a problem while trying to access Salesforce via n8n using the Salesforce OAuth 2 method. The issue arises specifically when I remove the scope full. Here’s the detailed breakdown of the situation:
Issue:
Whenever I set the scope to full, I can connect without any issues.
However, when I remove the full scope and include all the other recommended scopes (such as refresh_token and offline_access), I receive the following error:
OAUTH_APPROVAL_ERROR_GENERIC: An unexpected error has occurred during authentication. Please try again.
According to the Salesforce documentation on n8n, only refresh_token and offline_access are required ⇾ All the scopes except full have been added on my end.
Salesforce Settings:
Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows: Disabled
Require Secret for Web Server Flow: Disabled
Require Secret for Refresh Token Flow: Disabled
Steps I’ve Taken:
Set up OAuth credentials in Salesforce.
Configured n8n with the all the scopes except full.
Disabled all the necessary settings in Salesforce as mentioned above.
Thanks for reaching out here. This is where we prefer support cases in so that the community can benefit from the knowledge.
Like I shared in response to your email, our normal recommendation for this issue is to disable pkce for the app in Salesforce but I see you’ve already done that. Do you have any IP restrictions on the profile you are attempting to authenticate with inside of Salesforce? Help And Training Community
Here are some additional resources that may be helpful.
I would like to clarify that the issue we are facing is not related to IP restrictions. We have set the IP Relaxation option to “Relax IP Restriction” in the AUTH POLICY of our connected app on Salesforce, which should address any potential IP-related access concerns.
I’ve reviewed the article you sent (Salesforce Scope) and noted that n8n requires ‘full’ as a scope. This requirement is a significant concern for us, as it is not feasible to request full scope access from our clients due to strict security and compliance requirements. Moreover, there seems to be a discrepancy in the documentation, which only specifies the need for ‘offline_access’ and ‘refresh_token’, but does not mention the necessity of ‘full’ scope for authentication.
Thank you for the information regarding the IP restrictions. Per that link my colleague mentions that Salesforce requires full as a scope in certain circumstances - not that n8n does.
I’ll check with our engineering team during Berlin operating hours tomorrow and check whether we also in fact require that scope or another and a change is needed in our documentation.
