0

We're using a 3rd party webform tool (FormTitan) that pushes data into Salesforce using an oauth connection. The connection was reset unexpectedly which caused the form to start failing.

The message in the error log was "Account invalid_grant: expired access/refresh token"

When contacting the app provider we were informed that the access token was revoked by Salesforce, and they suggested it was because we had multiple services and/or users using a single Salesforce account. I do not find this very plausible because it's pretty common to use a single API user account for multiple integrations and I've never had a token revoked in this way before, seemingly at random.

What I'd like to determine is how or why the access token was revoked. I've reviewed the setup audit history trail and there's nothing that looks remotely like it would have revoked access. There were no changes to the integration user's account like password, security token, etc. I do not see any way to look at the history of an oauth connection for a particular app.

Is there any way to troubleshoot this, or would I need something like a user trace on when the token is revoked to figure out specifics? I want to understand whether this is something that is likely to happen again and can be addressed on the Salesforce end, or whether it's more likely an issue with the app & I need to press them to investigate.

Edit after being pointed to this thread:

When I look at the oauth connected apps page, I can see there are 4 instances of FormTitan connections, including several new ones on July 11th and one on the 12th. I also don't see any other apps listed more than 4 times, although a number of others are listed 4 times exactly. I find it odd that many apps max out the active sessions but have no connection errors. I'm speculating that by design, when a token in those apps have expired they automatically replace it with a token from the most recent session? I could be way off here but still struggling to understand whether this is a problem I created or whether it's due to the design of the app.

enter image description here

duncanm
  • 35
  • 4
  • 1
    https://salesforce.stackexchange.com/questions/65590/connected-app-avoiding-a-limit-on-a-number-of-issued-tokens-token-expiration is a good read. – identigral Jul 14 '22 at 21:04
  • Thanks, it is, and I've updated the original post with some additional information. Given that this is an app provided by a 3rd party ISV, I'm still struggling to understand why other apps don't break when the 5th session is created (which I'm guessing is what happened) but this one did. – duncanm Jul 15 '22 at 02:00
  • Suggested approach: attempt reproducing the issue with an oAuth client of your own. If you have enough information from/about FormTitan's behavior, you can include that in your repro attempt. Mimicking FormTitan isn't strictly necessary to answer your question - if you spend enough time with repro, you'll see how SF behaves. – identigral Jul 15 '22 at 16:24
  • Given that the problem I'm trying to solve is troubleshooting an issue with an ISV app and am a little out of my depth here, I'm not going to try reproducing unless it becomes a chronic issue.I think the answer to my question of whether it's possible to see (report) on why an oAuth token was revoked is 'No, you need to use trial & error.' – duncanm Jul 15 '22 at 17:34
  • Yes, unfortunately that's the answer. The other answer to your question is that it's far more likely to be an app-side problem than SF-side but you certainly can't rule SF (platform or your org-specific config) out. Feel free to create an idea on IdeaExchange that captures your "how to know what happened" use case. – identigral Jul 15 '22 at 17:56

0 Answers0