Search code examples
salesforce

What is the expiration time of the access token I got from the connected app on Salesforce?

I got an access token using the client ID and client secret of the connected app to Salesforce.

If the session polices of the connected app timeout value is 'none' and the user does not log out manually, can I continue to use the value of the access token unchanged?

If not, how can I use access token without changing its value? I know it's not safe for security, but I'm asking because the client wants these requirements.

Solution

  • It'll be whatever is written on the connecting user's Profile -> Session Settings. And it's based on activity timer so making a dummy request every X hours should keep the connection open.

    But don't treat that time as oracle:

    • session might expire after password expires/is changed. Does the user's profile have "Password never expires"?
    • admin can terminate sessions anytime in Setup -> Session management, for example when they suspect hacking
    • if you have a cloud app and your program gets silently moved to another application server or something - it might die if your public IP changes and org is configured to lock sessions to IP from which they originated. Same if you're behind a proxy (I had situation where connecting party was behind some cloud-based proxy, every single request was from different Amazon East Coast IP, "fun")
    • once in a blue moon SF migrates orgs across data centres, makes changes to domain names (in May or so there was big update to enable around "enhanced domains", now there's noise about moving to Hyperforce...) these thing might mean change to instance_url you're supposed to use. So session id was still ok but the endpoint changed ;)

    If you want uninterrupted connection it's just little more work to obtain refresh token and regenerate access token whenever it expires, smarter than fragile pinging the server every X hours. Or there's JWT option where you authenticate with "username + certificate uploaded earlier to both SF and client + the fact this user is preauthorised in SF" rather than "username + password". This will work even after password reset, until the certificate expires.