Hi @zwerd, there are a few areas that might help.
First, did you enable Client Credential Flow Policies for External Client Apps? Details: https://help.salesforce.com/s/articleView?language=en_US&id=xcloud.policies_configure_client_credentials_flow_for_external_client_apps.htm&release=256.6.0&type=5
If you did, there are a few OAUTH quirks detailed in the Salesforce article 'OAuth 2.0 Username-Password Flow for Special Scenarios': https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_username_password_flow.htm&type=5
You could also try:
- Appending the security token at the end of the password
- Adding the ?grant_type_password to TokenEndPoint
grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword
Please let me know how you get on, good luck!
Hi @zwerd, there are a few areas that might help.
First, did you enable Client Credential Flow Policies for External Client Apps? Details: https://help.salesforce.com/s/articleView?language=en_US&id=xcloud.policies_configure_client_credentials_flow_for_external_client_apps.htm&release=256.6.0&type=5
If you did, there are a few OAUTH quirks detailed in the Salesforce article 'OAuth 2.0 Username-Password Flow for Special Scenarios': https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_username_password_flow.htm&type=5
You could also try:
- Appending the security token at the end of the password
- Adding the ?grant_type_password to TokenEndPoint
grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword
Please let me know how you get on, good luck!
Hi Chris!
Thank you for your help. Unfortunatly, we are still struggling with getting Salesforce's events logs on the Google SecOps SIEM.
We've enable Client Credential Flow Policies for External Client Apps and we've tried to append "&" at the end of each field, but we still got a "Fail".
These following fields are those we've insert to the FEED config page:
API HOSTNAME: https://xxxxxxx.lightning.force.com/
TYPE:OAuth password grant
OAUTH TOKEN ENDPOINT: https://xxxxxxx.my.salesforce.com/services/oauth2/token?grant_type=password&
SalesforceConsumerKey(OATH CLIENT ID):3MVG9XXXXXXXXXXX&
SalesforceConsumerSecret(OAUTH CLIENT SECRET):1286XXXXXXXXXXXXXXXXXXXX&
SalesforceUser(USERNAME):someuser@somedomain.com&
SalesforceConsumerSecret(PASSWORD):somePassw0r5
Do you know what else can we do?
we'll be greatful for that.
Thank you!
Hi Chris!
Thank you for your help. Unfortunatly, we are still struggling with getting Salesforce's events logs on the Google SecOps SIEM.
We've enable Client Credential Flow Policies for External Client Apps and we've tried to append "&" at the end of each field, but we still got a "Fail".
These following fields are those we've insert to the FEED config page:
API HOSTNAME: https://xxxxxxx.lightning.force.com/
TYPE:OAuth password grant
OAUTH TOKEN ENDPOINT: https://xxxxxxx.my.salesforce.com/services/oauth2/token?grant_type=password&
SalesforceConsumerKey(OATH CLIENT ID):3MVG9XXXXXXXXXXX&
SalesforceConsumerSecret(OAUTH CLIENT SECRET):1286XXXXXXXXXXXXXXXXXXXX&
SalesforceUser(USERNAME):someuser@somedomain.com&
SalesforceConsumerSecret(PASSWORD):somePassw0r5
Do you know what else can we do?
we'll be greatful for that.
Thank you!
Hi @zwerd, thanks for bearing with me. I am not sure the endpoint format you're using is valid. Here's an example of a valid format for JWT:
<https>://test.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
So I think yours needs to look something like:
<https>://test.salesforce.com/services/oauth2/token?grant_type=password&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=1955279925675241571&username=testuser@salesforce.com&password=mypassword
obviously swapping out the example client_id, client_secret, username and password fields for your actual values.
Hi @zwerd, thanks for bearing with me. I am not sure the endpoint format you're using is valid. Here's an example of a valid format for JWT:
<https>://test.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
So I think yours needs to look something like:
<https>://test.salesforce.com/services/oauth2/token?grant_type=password&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=1955279925675241571&username=testuser@salesforce.com&password=mypassword
obviously swapping out the example client_id, client_secret, username and password fields for your actual values.
Hi @chrisproudley
Thank you again for your support.
I’m a bit confused about your recommendation to put all the parameters (client_id, client_secret, username, password) directly into the URL of the token endpoint.
In Google SecOps, when creating a FEED, there are separate fields to enter each of these values individually. I'm trying to understand why all of them should be combined into the URL itself.
For refernce, here's a screenshot that show how the fields are configured in Google SecOps.
We’ve tried both ways, entering parameters separately in the designated fields and concatenating everything in the URL — but unfortunately, the connection still fails.
Could you please clarify if Google SecOps requires a special configuration or workaround for this? Or if there is another recommended approach to make the OAuth password grant flow work correctly with this system?
Thanks again for your help!
Best regards,
I've tried this method - it's inconslusive... all i get from the log is this with my Event Monitoring:
"ApexTrigger","20250430010459.921","TID:13580298100000f31a","00D90000000ueYa","0059q00000000n0","","0","","WP4Yg7WZi/PSbdDk","yYRkF9lj2WDJ0U39","","","","01q9q0000008ONK","rsplus.VtTaskToSMS","Task","AfterInsert","1","2025-04-30T01:04:59.921Z","0059w0a2300IbnWAAS","xxx.xxx.xxx.xxx",""
The data is useless - as it doesn't tie in the Users' name or activity.
I'm trying to see if i can do it with this method - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/salesforce however, i'm having issues with my Salesforce team as I don't know what objects to map too to get the data here listed...
