I have setup OpenID to use Salesforce as the IDP for an external site. We are using embedded login and server side callback flow.
I have a requirement to set the lifespan of the access token to 60 min and the refresh token to 120 min.
My question is once the access token expires after 60 min, we then need to use the refresh token to call for a new access token. The new access token will last 60 min, and at this point the refresh token will also last 60 min. What happens when both the access token and refresh token expire? There will be no refresh token to request a new access token. The user would have to re-authenticate and type in username/password again.
Is there a flow to get a refreshed refresh token?
Best Answer
You cannot refresh an expired or revoked Refresh Token. It is used to refresh the user's access to Salesforce (the Access Token) if it expires, and a Refresh Token cannot be used to access any Salesforce API. Given your hypothetical example, once the user's Access Token expires, and the Refresh Token expires, they will be forced to log in again.
If the Refresh Token was instead set to Refresh Until Duration, having short-lived sessions would allow a user to refresh indefinitely until the Refresh Token expired from inactivity.
However, note that Access Tokens themselves automatically refresh if they are used in the second half of their Session Duration. In other words, given a 60 minute Access Token, it will automatically reset its Session Duration to 60 minutes if any API calls are made with 30 minutes remaining or less.