Listening for Callback Notifications in Salesforce Environment

0 votes

We are trying to set up a URL to listen for Callback Notifications in salesforce. Following the API documentation here: I am a little confused as to how this would work in terms of Salesforce Authentication?

Is anyone aware of a way to make this work with salesforce so that we can receive notifications and then act on the Package Id received in an Apex class?  

Reply to: Listening for Callback Notifications in Salesforce Environment

0 votes

Hi Scotth7a9,


OneSpan Sign has implemented the "OAuth 2.0 Refresh Token Flow" in order to authorize the callback and reach your salesforce app endpoint, this function is released at 11.31.

You need to follow below distinct steps:
(1)Implement an APEX controller and expose an endpoint that can receive the callback JSON, which typically contains below keys:


You can find a complete list of callback keys in the guide you referred above.


(2)Create a Connected App in Salesforce, make sure you chose the "refresh_token" scope and generate a refresh token.

Below are some articles that I found useful:

How to create a Connected App that enables oAuth:

How to get refresh token via web server flow:

A forum post discussing how to get refresh token:

In my experience, I first used the code grant type to get an authorization code, then use the authorization_code grant type to get the refresh token, below are the two calls I used, just for your reference:


(3)Submit a support ticket([email protected]) and supply below information:

-your APEX controller endpoint (OSS callback url)

-your salesforce host

-your client_id and refresh_token - request an updated access token when an event of interest happened.


(4 Optional) There's an API exposed to update your refresh token:

The GET call is a good way to check if your refresh token has been configured properly. But if your refresh token is valid until revoked, you don't need to update it for the temporary.



Duo Liang OneSpan Evangelism and Partner Integrations Developer

Reply to: Listening for Callback Notifications in Salesforce Environment

0 votes

Hello Duo:

Thank you for your reply, it is very helpful. There a few points that confuse me in regards to the Oauth implementation perhaps you could clarify if you have a chance?

Step 1. seems straight forward enough. In step 2 what would be the callback URL? Would it be URL of Oauth provider in my org? The URL of my Apex Class or a URL at OneSpan? No matter how many times I read the documentation it doesn't really make clear how to create the callback URL.

In Step 3 you mention "Provide your client_id and refresh_token" does that mean I have to somehow generate a refresh token value and provide it OneSpan support, or do I misunderstand that.

Lastly, if all these steps are followed is it just a matter providing the information to OneSpan and then they will make calls in a way that when they get to my Apex URL the authentification is taken care of? Or do I need to code additional steps in order to get them there with the proper access? 

I have spent a great deal of time searching and researching and it is very difficult to find a simple end to end example of an app of this type. Would OneSpan have any sample code or detailed instructions for setting this up in Salesforce as they have for many other platforms?

Thank You.

Reply to:

0 votes

Hi Scott,


Per your questions:
(1)Do you mean the callback URL when you set up the Connected Apps? I think it should be an URL within your salesforce domain (for example the lightning home page -, or simply a generic success url like the default one -

-this callback url needs to match the redirection url when you build a salesforce oAuth link:

-though, i don't think the redirection url matters in this use case, since we are using refresh token flow 


(2)"generate a refresh token value and provide it OneSpan support", yes, you need to generate a refresh token and provide to support. The refresh token is the key to exchange for a bearer token. Just follow the articles I mentioned in step2 and the two URLs I used.

(3)With client ID and refresh token, OneSpan Sign service would be able to generate a valid bearer token, and authenticate the OSS callback to reach out to your endpoint - the normal OSS callback is with basic authentication, but this additional micro service makes sure the callback is authenticated with oAuth2 instead. So my understanding is you don't need extra code at your side.



Duo Liang OneSpan Evangelism and Partner Integrations Developer

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off