A Remote Access record has a Client ID (key), Consumer Secret and Callback URL. To my knowledge, the proper callback URL for Salesforce is https://login.salesforce.com/services/oauth2/success.

Suppose I want to support Sandbox connections. Do I need a 2nd Remote Access record with a callback of https://test.salesforce.com/services/oauth2/success? Or is there a common callback URL that Salesforce provides for both Production and Sandbox flows?

Attribution to: hemmeter

Possible Suggestion/Solution #1

The callback URL will be same in both the cases and you may need only one remote access record but during the invoke of oauth token from sandbox of salesforce the URL that you will use will be https://test.salesforce.com/services/oauth2/success instead of https://login.salesforce.com/services/oauth2/success.

Attribution to: Mohith Shrivastava

Possible Suggestion/Solution #2

It turns out that I needed a 2nd Remote Access record. The reason for this is that Salesforce has the 2 different callback URLs https://login.salesforce.com/services/oauth2/success and https://test.salesforce.com/services/oauth2/success. (or it can be a custom mydomain in place login/test)

The oAuth process needs a redirect URL and it must match the remote access record.

I actually tried to use my existing record with https://login.salesforce.com/services/oauth2/success as the callback, but sent them to test.salesforce.com to actually login. It actually worked, but the final response only included an access token (session id) and not a refresh token (the main purpose of oAuth).

One additional thing I learned in the process is that Remote Access records no longer need to be packaged into Managed Packages. You can just leave them where they are and they work across orgs.

Attribution to: hemmeter

Possible Suggestion/Solution #3

I believe you can use just one remote access record if you use the 'state' parameter when initializing the OAuth flow. Set state to some value of your choice (ie: 'production' or 'sandbox') when you construct the initial url.

    Redirect(authURL
                    + "?response_type=code&client_id="
                    + clientid
                    + "&state="
                    + (authURL.contains("test.salesforce.com") ? "sandbox" : "production")
                    + "&redirect_uri="
                    + WS.encode(play.mvc.Router
                            .getFullUrl("ForceDotComOAuth2.callback")));

When OAuth callback is called, you can check the state param (it is passed back with the code param) - determine if the state is production or sandbox, and then send your post response to the prod or sandbox token url depending on value retrieved from the state param.

        String sandboxParam = Params.current().get("state");
        boolean sandboxLogin = false;
        if (sandboxParam != null) { // defensive null check, should always have value
            sandboxLogin = sandboxParam.contains("sandbox");
        }
        Map params = new HashMap();
        params.put("grant_type", "authorization_code");
        params.put("client_id", clientid);
        params.put("client_secret", secret);
        params.put("redirect_uri",
            play.mvc.Router.getFullUrl("ForceDotComOAuth2.callback"));
            params.put("code", accessCode);
        HttpResponse response = WS.url(sandboxLogin ? TOKEN_URL_sBox : TOKEN_URL).params(params).post();
 

Attribution to: John Brock
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/4371