From http://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Token_Refresh:

In this situation, the client application can use the refresh token to obtain a new access token. The refresh token represents the user's access grant to the application, and is valid until explicitly revoked by the user, via Setup ➤ My Personal Information ➤ Remote Access.

This is untrue.

I have a remote application that uses the OAuth web server flow. After I generate refresh and access tokens for a user, I fetch that user's data (accounts, contacts, leads, etc.) periodically. When the access token expires I generate a new one using the refresh token. This all happens in a long running process.

If I kill this process and start it up the next day or a few hours later, I receive an error message from the API telling me that the access token / refresh token has expired. If I try to refresh the token, I receive the same error message from the refresh token API endpoint. I take this to mean that the refresh token has also expired.

The user has not revoked access to the application nor has logged into any salesforce related applications or created any new salesforce browsing sessions. So nothing has happened except the passing of time.

Why is this happening? Can I prevent this in any way? As it stands now, this totally defeats the purpose of the refresh token schema.

Update:

Since there are no replies and many views: Does anyone periodically fetch data from salesforce accounts without storing a user's username and password, and without having the user's constantly reauthorize your external application? What does your workflow look like?

I signed up for force.com and created a remote application.

I can successfully complete the OAuth 2.0 username and password flow using my account credentials. And can subsequently fetch *my* data using the API.

However, when I use an account that is not the creator of the remote application, the response I receive is:

{"error":"invalid_grant","error_description":"expired access/refresh token"}

As far as I'm concerned, this is not even an error that I should be seeing, considering I am completing this flow to receieve an access token.

The URL that I am POSTing to is:

https://login.salesforce.com/services/oauth2/token?response_type=token&redirect_uri=REDIRECT_URI

and my POST body is:

grant_type=password&client_id=KEY&client_secret=SECRET&username=EMAIL&password=PASSWORDSECURITY_TOKEN

All variables are replaced with the proper values as outlined in the document http://na9.salesforce.com/help/doc/en/remoteaccess_oauth_username_password_flow.htm

Can anyone see the problem with this?

From http://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com#Token_Refresh:

In this situation, the client application can use the refresh token to obtain a new access token. The refresh token represents the user's access grant to the application, and is valid until explicitly revoked by the user, via Setup ➤ My Personal Information ➤ Remote Access.

This is untrue.

I have a remote application that uses the OAuth web server flow. After I generate refresh and access tokens for a user, I fetch that user's data (accounts, contacts, leads, etc.) periodically. When the access token expires I generate a new one using the refresh token. This all happens in a long running process.

If I kill this process and start it up the next day or a few hours later, I receive an error message from the API telling me that the access token / refresh token has expired. If I try to refresh the token, I receive the same error message from the refresh token API endpoint. I take this to mean that the refresh token has also expired.

The user has not revoked access to the application nor has logged into any salesforce related applications or created any new salesforce browsing sessions. So nothing has happened except the passing of time.

Why is this happening? Can I prevent this in any way? As it stands now, this totally defeats the purpose of the refresh token schema.

Update:

Since there are no replies and many views: Does anyone periodically fetch data from salesforce accounts without storing a user's username and password, and without having the user's constantly reauthorize your external application? What does your workflow look like?

I signed up for force.com and created a remote application.

I can successfully complete the OAuth 2.0 username and password flow using my account credentials. And can subsequently fetch *my* data using the API.

However, when I use an account that is not the creator of the remote application, the response I receive is:

{"error":"invalid_grant","error_description":"expired access/refresh token"}

As far as I'm concerned, this is not even an error that I should be seeing, considering I am completing this flow to receieve an access token.

The URL that I am POSTing to is:

https://login.salesforce.com/services/oauth2/token?response_type=token&redirect_uri=REDIRECT_URI

and my POST body is:

grant_type=password&client_id=KEY&client_secret=SECRET&username=EMAIL&password=PASSWORDSECURITY_TOKEN

All variables are replaced with the proper values as outlined in the document http://na9.salesforce.com/help/doc/en/remoteaccess_oauth_username_password_flow.htm

Can anyone see the problem with this?