Loading

Consumer Goods Cloud: OAUTH_APPROVAL_ERROR_GENERIC blocks all users from CG Cloud Offline Mobile App login

Publish Date: May 27, 2026
Description

When a field rep launches the Consumer Goods Cloud Offline Mobile App and scans the QR code or enters credentials, login fails with:

  • Title: "OAuth Error"
  • Message: "We cannot authorize you due to an OAuth error. Please contact your Salesforce administrator for more information."
  • Error code: OAUTH_APPROVAL_ERROR_GENERIC
  • Secondary message: "An unexpected error occurred during authentication. Please try again."

The same users can still log in to Salesforce on the web browser. Only the offline mobile app and the Visual Studio Code Based Modeler simulator are blocked.

Root cause: As of August 28, 2025 for new orgs and rolling out from September 2, 2025 for existing orgs, Salesforce restricts login through custom connected apps that are not installed in the org. The CG Cloud Offline Mobile App connects through a connected app whose Consumer Key is shared with field reps via QR code. If that connected app is referenced through OAuth Usage but not installed — or the default Consumer Goods Cloud connected app introduced in Spring '24 is not installed — every mobile login attempt fails with OAUTH_APPROVAL_ERROR_GENERIC.

Affected configuration:

  • Consumer Goods Cloud Retail Execution, Enterprise and Unlimited Editions with Consumer Goods Cloud enabled
  • Platforms: iOS, iPadOS, and Android; also VS Code Based Modeler
  • Environments: Production and sandbox orgs
Prerequisite(s)
  • Consumer Goods Cloud enabled (Enterprise or Unlimited Edition)
  • CGCloud Business Admin or CGCloud Retail Business Admin permission set for the admin performing the fix
  • Access to Setup > Identity > Connected Apps OAuth Usage
  • Consumer Goods Cloud Offline Mobile App installed on iOS, iPadOS, or Android for testing
  • QR code or connected app Consumer Key used by field reps
Resolution

Work through each cause in order.

Cause 1: The connected app used by the mobile app is not installed in the org

  1. Log in to the affected Salesforce org as an administrator with the CGCloud Business Admin or CGCloud Retail Business Admin permission set.
  2. Navigate to Setup > Identity > Connected Apps OAuth Usage.
  3. Locate the row for the connected app whose Consumer Key your admins shared with field reps via QR code (the default app is named "Consumer Goods Cloud Offline Mobile App").
  4. In the Action column, click Install. If the button shows Installed, the app is already installed — proceed to Cause 2.
  5. On the install confirmation page, accept the default profile or permission set assignment that includes your mobile users (CGCloud Sales User or CGCloud Retail Sales User), then click Install.
  6. Ask one affected user to fully close the CG Cloud Offline Mobile App, swipe it out of the background, reopen it, and log in again. If login still fails, uninstall and reinstall the app from the App Store or Google Play and rescan the QR code.

Cause 2: Connected app OAuth settings do not match CG Cloud requirements

  1. Navigate to Setup > Apps > External Client Apps > Settings and open the connected app referenced by your QR code.
  2. Confirm the following OAuth settings:
    • Enable OAuth Settings: selected
    • Callback URL: https://login.salesforce.com/services/oauth/success (production) or https://test.salesforce.com/services/oauth/success (sandbox)
    • Selected OAuth Scopes: Access the identity URL service; Manage user data via APIs (api); Perform requests at any time (refresh_token, offline_access)
    • Require Secret for Web Server Flow: deselected
    • Require Secret for Refresh Token Flow: deselected
    • Issue JWT-based access tokens for named users: deselected
  3. Click Save.
  4. Click Manage > Edit Policies and confirm Permitted Users is set to Admin approved users are pre-authorized, and that the relevant profiles or permission sets are assigned.
  5. Regenerate and redistribute the QR code from your connected app launcher org.

Cause 3: Sandbox login on Android fails after the 260 release

  1. On the mobile device Log In page, tap the gear icon.
  2. Select Change Server > Sandbox on Android, or Choose Connection > Sandbox on iOS.
  3. Add a custom connection using the org's My Domain URL (for example, yourdomain--sandboxname.sandbox.my.salesforce.com) instead of logging in through test.salesforce.com.
  4. Enter credentials and tap Log In to Sandbox.

Confirm the fix: Ask an affected sales rep to fully close the app, reopen it, scan the QR code (or enter credentials), and complete a full login to the User cockpit (Your Day) page without the OAUTH_APPROVAL_ERROR_GENERIC screen.

Knowledge Article Number

005385096

 
Loading
Salesforce Help | Article