Salesforce Connector | Failed to connect to Salesforce with {"error":"invalid_grant","error

SYMPTOM

The following error is observed in the Mule application logs when connecting to Salesforce using OAuth JWT:

Invalid status code: 400, response body: {"error":"invalid_grant","error_description":"invalid assertion"}

The complete log message and stack trace are as follows:

Connectivity test failed for config 'Salesforce_Config'. Application deployment will continue. Error was: Invalid status code: 400, response body: {"error":"invalid_grant","error_description":"invalid assertion"}
org.mule.runtime.api.connection.ConnectionException: Invalid status code: 400, response body: {"error":"invalid_grant","error_description":"invalid assertion"}
	at org.mule.runtime.core.internal.connection.ErrorTypeHandlerConnectionProviderWrapper.lambda$connect$0(ErrorTypeHandlerConnectionProviderWrapper.java:69)
	at java.util.Optional.map(Optional.java:215)
	at org.mule.runtime.core.internal.connection.ErrorTypeHandlerConnectionProviderWrapper.connect(ErrorTypeHandlerConnectionProviderWrapper.java:68)
	at org.mule.runtime.core.internal.connection.ConnectionUtils.connect(ConnectionUtils.java:49)
	at org.mule.runtime.core.internal.connection.AbstractConnectionProviderWrapper.connect(AbstractConnectionProviderWrapper.java:64)
	at org.mule.runtime.core.internal.connection.DefaultConnectionProviderWrapper.connect(DefaultConnectionProviderWrapper.java:52)
	at org.mule.runtime.core.internal.connection.CachedConnectionManagementStrategy.createConnection(CachedConnectionManagementStrategy.java:95)
	at org.mule.runtime.core.api.util.func.CheckedSupplier.get(CheckedSupplier.java:25)
	at org.mule.runtime.api.util.LazyValue.get(LazyValue.java:77)
	at org.mule.runtime.core.internal.connection.CachedConnectionManagementStrategy.getConnectionHandler(CachedConnectionManagementStrategy.java:63)
	at org.mule.runtime.core.internal.connection.DefaultConnectionManager.getConnection(DefaultConnectionManager.java:241)
	at org.mule.runtime.core.internal.connection.DefaultConnectionManager.lambda$testConnectivity$1(DefaultConnectionManager.java:160)
	at org.mule.runtime.core.internal.connection.DefaultConnectionManager.doTestConnectivity(DefaultConnectionManager.java:176)
	at org.mule.runtime.core.internal.connection.DefaultConnectionManager.testConnectivity(DefaultConnectionManager.java:152)
	at org.mule.runtime.core.internal.connection.DelegateConnectionManagerAdapter$EagerConnectionManagerAdapter.testConnectivity(DelegateConnectionManagerAdapter.java:176)
	at org.mule.runtime.core.internal.connection.DelegateConnectionManagerAdapter.testConnectivity(DelegateConnectionManagerAdapter.java:98)
	at org.mule.runtime.module.extension.internal.runtime.config.LifecycleAwareConfigurationInstance$1.doWork(LifecycleAwareConfigurationInstance.java:204)
	at org.mule.runtime.core.api.retry.policy.AbstractPolicyTemplate.execute(AbstractPolicyTemplate.java:62)
	at org.mule.runtime.core.internal.retry.async.RetryWorker.run(RetryWorker.java:56)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.mule.service.scheduler.internal.AbstractRunnableFutureDecorator.doRun(AbstractRunnableFutureDecorator.java:152)
	at org.mule.service.scheduler.internal.RunnableFutureDecorator.run(RunnableFutureDecorator.java:54)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: Invalid status code: 400, response body: {"error":"invalid_grant","error_description":"invalid assertion"}
	at org.mule.extension.salesforce.internal.error.exception.service.handlers.IOExceptionHandler.handle(IOExceptionHandler.java:49)
	at org.mule.extension.salesforce.internal.connection.provider.AbstractOAuthConnectionProvider.send(AbstractOAuthConnectionProvider.java:293)
	at org.mule.extension.salesforce.internal.connection.provider.AbstractOAuthConnectionProvider.sendAuthorizationRequestAndParseResponse(AbstractOAuthConnectionProvider.java:200)
	at org.mule.extension.salesforce.internal.connection.provider.JWTConnectionProvider.onPreAuthorization(JWTConnectionProvider.java:153)
	at org.mule.extension.salesforce.internal.connection.provider.AbstractOAuthConnectionProvider.createConnectionConfigBuilder(AbstractOAuthConnectionProvider.java:143)
	at org.mule.extension.salesforce.internal.connection.provider.AbstractConnectionProvider.connect(AbstractConnectionProvider.java:253)
	at org.mule.extension.salesforce.internal.connection.provider.AbstractConnectionProvider.connect(AbstractConnectionProvider.java:80)
	at org.mule.runtime.module.extension.internal.runtime.config.ClassLoaderConnectionProviderWrapper.connect(ClassLoaderConnectionProviderWrapper.java:60)
	at org.mule.runtime.core.internal.connection.ConnectionUtils.connect(ConnectionUtils.java:49)
	at org.mule.runtime.core.internal.connection.AbstractConnectionProviderWrapper.connect(AbstractConnectionProviderWrapper.java:64)
	at org.mule.runtime.core.internal.connection.ErrorTypeHandlerConnectionProviderWrapper.connect(ErrorTypeHandlerConnectionProviderWrapper.java:64)
	... 24 more

CAUSE

One possible cause is that the certificate alias configured in Salesforce Config does not match the certificate configured for the Connected App in Salesforce.

User-added image

Or, if you leave the "Certificate alias" field blank but the configured key store contains multiple certificates, the first certificate in the key store will be used but it doesn't match the certificate configured for the Connected App in Salesforce. Should you run into this issue, you can see the following warning message in the Mule application logs:

WARN  2022-07-24 07:01:34,792 [[MuleRuntime].uber.251315: [sample-app].sampleFlow.CPU_LITE @19f040cd] [processor: ; event: ] org.mule.extension.salesforce.internal.service.connection.oauth.SignerService: There are more than one alias, picked first one with name: <certificate_name>

To check the certificate configured for the Connected App in Salesforce, refer to the following article:
Salesforce Connector - How to authenticate using JWT

SOLUTION

Configure the correct certificate alias in Salesforce Config.

Disclaimer: This solution provides a suggestion that should be considered in conjunction with your specific use case and requirements and does not represent a complete solution for all circumstances.

Salesforce Connector | Failed to connect to Salesforce with {"error":"invalid_grant","error_description":"invalid assertion"}

SYMPTOM

CAUSE

SOLUTION

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List