Troubleshooting Salesforce: Refresh Token Expiration

Are you experiencing frequent authorization issues with Salesforce and our Card Reader app? In other words, do you find yourself checking your Salesforce connection when trying to use Card Reader? If so, this may have to do with your Salesforce refresh token.

This link explains what causes a connected app’s refresh token to expire.

In short, there are numerous ways that your refresh token can expire, which in turn would cause the perpetual login to FullContact.

That being said, note that password policies have no impact. While it is possible that an expiration could behave differently, this is quite difficult to test and would not support the transient nature of the issue anyway.

While the root cause is a bit ambiguous, here are a few common sources worth investigating:

  • The software development kit (SDK) used for authorization purposes could have a bug, assuming the refresh token is invalid. Due to its transient nature, sometimes it will go many weeks without expiring, sometimes it is a matter of a day.
  • Over time, you have used multiple devices with Card Reader.  Maybe an old iPhone, a new iPhone, a tablet, etc.  You are allowed 5 access tokens, if you attempt to use a 6th, then the 1st one gets invalidated. A single device can use more than one access token, so the more devices you have, the more likely this could happen. You are able to see how many connections you have, and you can revoke older connections. However, if you only have Card Reader on a single device, this is not an issue.
  • Are you using our managed package?  If yes, then there is the following settings for “refresh token policy.” An admin on the SFDC account would have complete control over when a refresh token expires.

 

  • You, or the admin on the account, is manually revoking the OAuth connection. While this is unlikely, it is not out of the realm of possibility that an admin is doing a global revocation from time to time and you (the user) is unaware.
  • Is it possible that IP restrictions could be causing the issue There are multiple places IP restrictions can be set up: on the Profile, on the User, on a connected app, etc. It’s possible that when requesting a new Access Token, if the device is on an IP that isn’t whitelisted, it could cause you to authenticate.