Mobile sales integration fails to refresh Salesforce REST API tokens

dorothy_analyst · March 14, 2025, 9:23am

Our mobile sales team is experiencing constant logouts from the Salesforce mobile app during field visits. The OAuth refresh token process appears to be failing intermittently, causing major disruptions to our sales operations.

The issue started after we updated our OAuth refresh token scope configurations last week. Users are being forced to re-authenticate multiple times per day, which is unacceptable when they’re meeting clients. I’ve checked our session timeout settings in Setup, and they’re set to 2 hours with refresh token valid for 90 days.

Here’s the error we’re seeing in the mobile app logs:


HTTP 401: invalid_grant
refresh_token expired or revoked
OAuth token refresh failed at 2025-03-14T08:45:12Z

I suspect the mobile app isn’t storing the refresh tokens properly between sessions, or there’s a mismatch in our OAuth scope configuration. Has anyone dealt with mobile token storage issues in Summer '25? Our field sales productivity has dropped significantly, and we need a reliable solution fast.

nancypro · March 16, 2025, 1:55pm

I want to add one more critical point about IP restrictions with mobile users. If your Connected App has IP restrictions enabled, mobile field users will constantly fail authentication as they move between cell towers and WiFi networks. For mobile deployments, you should either disable IP restrictions entirely or use a whitelist approach with VPN requirements instead.

donnapro · March 17, 2025, 9:42am

Let me provide a comprehensive solution addressing all three key areas: OAuth refresh token scope, session timeout settings, and mobile app token storage.

OAuth Refresh Token Scope Configuration: Navigate to your Connected App settings and verify the OAuth scopes include both ‘refresh_token’ and ‘offline_access’. The offline_access scope is critical for mobile apps to maintain authentication across app restarts and device sleep cycles.

Refresh Token Policy Fix: Your current 1-day expiration is causing the constant logouts. Here’s the recommended configuration:


Setup > Connected Apps > Your Mobile App
OAuth Policies > Refresh Token Policy:
- Set to "Refresh token valid for 90 days"
- Enable "Rotate refresh token on use"

This gives mobile users sufficient validity while maintaining security through token rotation.

Session Timeout Alignment: Go to Setup > Session Settings and configure:

Session timeout: 4 hours (longer than current 2 hours for field work)
Disable timeout warning: Unchecked (gives users warning before expiration)
Force logout on session timeout: Unchecked for mobile profiles

For mobile-specific profiles, create a custom session setting that’s more lenient than desktop users.

Mobile App Token Storage: If you’re using Salesforce Mobile SDK, the token storage should be handled automatically via platform-specific secure storage (iOS Keychain/Android Keystore). However, verify these implementation points:

Token Refresh Logic: Ensure your app implements proactive token refresh before expiration:


// Check token expiry 5 minutes before actual expiry
if (tokenExpiryTime - currentTime < 300000) {
  refreshOAuthToken();
}

Background Refresh: Enable background token refresh in your mobile app configuration to handle refreshes even when app is backgrounded.
Error Handling: Implement proper retry logic for failed refresh attempts with exponential backoff.

IP Restriction Configuration: For mobile users, you have two options:

Option A: Disable IP restrictions entirely for the mobile Connected App
Option B: Implement “Relax IP restrictions” for mobile user profiles (Setup > Profiles > Session Settings)

I recommend Option B as it provides better security while accommodating mobile users.

Verification Steps:

Update Connected App refresh token policy to 90 days
Add ‘offline_access’ to OAuth scopes if missing
Extend session timeout to 4 hours for mobile profiles
Enable IP relaxation for field sales profiles
Test with a pilot group of field users for 48 hours
Monitor OAuth token refresh events in Event Monitoring

Monitoring and Validation: Enable Event Monitoring for OAuth tokens and watch for these events:

LoginAs events (indicates forced re-authentication)
OAuth Token Refresh events (should show successful refreshes)
Session hijacking events (validates security isn’t compromised)

After implementing these changes, your mobile users should maintain persistent authentication throughout their workday without forced logouts. The combination of extended refresh token validity, proper scope configuration, and relaxed IP restrictions for mobile profiles will resolve the field sales disruption while maintaining reasonable security controls.

dorothy_expert · March 15, 2025, 8:15am

We’re using the Salesforce Mobile SDK for both iOS and Android. The Connected App does have ‘refresh_token offline_access’ in the scope, but I just noticed the refresh token policy is set to expire after 1 day instead of the standard setting. Could that be causing the premature expirations? Also, our IP relaxation settings might be too restrictive for mobile users who are constantly changing locations. I’ll test with a longer refresh token validity period and relaxed IP restrictions.

Topic		Replies	Views
Mobile Sales Lightning app stuck in login loop after Winter '24 update Salesforce question , oauth , mobile-sales , sf-winter-24 , session-management , cloud-deploy-hosting , salesforce-mobile , login-loop , user-access-blocked	7	1	April 24, 2025
OAuth refresh token expiry causes scheduled dataflow failure in Integration Hub with third-party CRM Zoho CRM question , integration , authentication , contact-mgmt , zoho-2023 , oauth2 , token-expiry , sync-reliability , cloud-deploy-hosting	6	0	June 10, 2025
Integration hub API sync fails due to OAuth2 token expiry during large data transfers in cloud deployment Zendesk Sell question , rest-api , authentication , integration-hub , zs-2021 , oauth2 , token-expiry , data-sync-failure , cloud-deploy-hosting	7	1	March 17, 2025
OAuth2 refresh token expiry blocks automated bank reconciliation jobs NetSuite question , security-auth , rest-api , cash-mgmt , json , token-expiry , ns-2024-1 , oauth2-integration , automated-jobs	3	0	March 18, 2025
Inventory optimization API token expiry causes automated stock sync failures Infor SCM question , api-integration , automation , rest-api , java , inventory-opt , oauth2 , token-management , is-2023-1	6	0	March 23, 2025
Flow-triggered action fails on REST API callout with 'INVALID_SESSION' error Salesforce question , api-development , rest-api , sf-summer-24 , session-management , workflow-aut , flow-builder , named-credentials , integration-failures	7	0	March 14, 2025
Multi-factor authentication prompt loops on mobile devices for time and attendance clock-in causing missed punches Oracle JD Edwards question , time-attendance , security-auth , authentication , mobile-app , ios , jde-9-2-2 , mfa-loop , mobile-security	5	0	January 11, 2025
Form interconnect authentication fails for mobile expense entry in travel management Oracle JD Edwards question , security-auth , rest-api , travel-mgmt , session-mgmt , jde-9-2-1 , form-interconnect , mobile-enterprise , authentication-failure	3	0	August 9, 2025
Mobile Sales API offline sync fails with 504 Gateway Timeout, unsynced records lost after reconnect Zoho CRM question , api-development , rest-api , mobile-app , mobile-sales , zoho-2023 , data-loss , offline-sync , 504-timeout	4	1	March 16, 2025

Mobile sales integration fails to refresh Salesforce REST API tokens

Related topics