in Digging_Deeper_into_OAuth_2.0_on_Force.com (https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com). It is mentioned that it is only revoked by the user:
The refresh token represents the user's authorization to the application, and is valid until explicitly revoked by the user, via My Settings ➤ Personal ➤ Advanced User Details ➤ OAuth Connected Apps.
However, there is an edit in the same doc that mentiones that refresh token also have an expiration time:
The refresh token may have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server.
Since refresh tokens may expire or be revoked by the user outside the control of the client application, the client must handle failure to obtain an access token, typically by replaying the protocol from the start.
In this situation, the client application can use the refresh token to obtain a new access token. The refresh token represents the user's access grant to the application, and is valid until explicitly revoked by the user, via Setup ➤ My Personal Information ➤ Remote Access.
This is untrue.
I have a remote application that uses the OAuth web server flow. After I generate refresh and access tokens for a user, I fetch that user's data (accounts, contacts, leads, etc.) periodically. When the access token expires I generate a new one using the refresh token. This all happens in a long running process.
If I kill this process and start it up the next day or a few hours later, I receive an error message from the API telling me that the access token / refresh token has expired. If I try to refresh the token, I receive the same error message from the refresh token API endpoint. I take this to mean that the refresh token has also expired.
The user has not revoked access to the application nor has logged into any salesforce related applications or created any new salesforce browsing sessions. So nothing has happened except the passing of time.
Why is this happening? Can I prevent this in any way? As it stands now, this totally defeats the purpose of the refresh token schema.
Since there are no replies and many views: Does anyone periodically fetch data from salesforce accounts without storing a user's username and password, and without having the user's constantly reauthorize your external application? What does your workflow look like?