+ Start a Discussion
zgcharley_09zgcharley_09 

Distributed same copy of access_token and refresh_token, will it be problem to refresh the token in different process?

The case is after authorization, I get the access_token and refresh_token and then distribute the same copy of tokens to different runtime instances. And I'd like to let each runtime instance to have separated token refresh cycle.
After the access_token is expired, there will be token refresh request happened in different instances. So the questions are:
1. Since the refresh_token is same, will be the new generated access_token still same among different instances?

2. If not same, that means there might be a lot active access tokens. As per Salesforce, one connected app can only have maximum 5 active access tokens https://success.salesforce.com/answers?id=90630000000Cy3EAAS&feedtype=RECENT&dc=All&criteria=OPENQUESTIONS& Then some of running instances will have issue to subsequent REST API call?
NagendraNagendra (Salesforce Developers) 
Hi,

Based on empirical observation, using the same refresh_token to repeatedly request an access_token yields exactly the same result.

I tested establishing a session from only the known refresh_token several times over the course of 5 minutes. In all cases I got the same session ID back. This is consistent with how the login() method works in the Partner API. You keep getting the same session back until the original is invalidated, either via an explicit logout or a timeout.

Try monitoring it from the User Session Information tab. You will see the Updated and Valid until values changing, but the Created data won't change.
User-added image
Your result may vary using the refresh_token from differ IPs simultaneously.

Regards,
Nagendra.
zgcharley_09zgcharley_09
Hi Nagendra,

Thanks for your reply. 

So as per your exeprience, if the session is not expired(no logout, no timeout), no matter how many times login() or token refresh request, Salesforce will still return the same session id. Am I correct?

For my use case, if the token renewal at Salesforce server side is a "lock" operation, based on your observation, I think my use case should work fine too. 

Thanks,
Charley.