Limit the Idle Refresh Token TTL in Connected Apps
For improved security, set a 30-day limit to the idle refresh token TTL (time-to-live), which is the amount of time that a refresh token can be inactive before it expires. The idle TTL works as a sliding window: each time the token is used within the 30 day-period, its idle TTL resets. As an app developer, when you turn on this limit, it affects refresh token policies for your subscribers.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Connected apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions Connected apps can be installed in: all editions |
| User Permissions Needed | |
|---|---|
| To read, create, update, or delete connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
Work with your subscribers to let them know when you’re enabling these changes. Here are a few highlights that are important for you and your subscribers to know.
- These policies are affected by the limit.
- Refresh token is valid until revoked
- Expire refresh token after number unit of time
- Expire refresh token if not used for number unit of time
- For the "Refresh token is valid until revoked" and "Expire refresh token if not used for number unit of time" policies, the limit introduces inconsistencies with the UI, behavior, and metadata. To fix these inconsistencies, update your apps and encourage subscribers to do the same.
- The "Immediately expire refresh token" policy isn’t affected by the limit.
Here’s a detailed overview of how this limit affects each policy.
| Refresh Token Policy | Behavior Changes with Idle TTL Limit | How to Fix Inconsistencies with UI, Behavior, and Metadata |
|---|---|---|
| Refresh token is valid until revoked | This policy is no longer valid with the idle TTL limit enforced. In the UI, this option becomes hidden and the policy selection changes to “Expire refresh token if not used for specific time” with the validity period set to 30 days. | Salesforce doesn’t automatically update the app’s metadata to reflect this change. To
update the ConnectedAppOauthPolicy metadata type: Change the
value of the refreshTokenPolicy field to
specific_inactivity:30:DAYS |
| Immediately expire refresh token | None | Not applicable |
| Expire refresh token after number unit of time | Refresh tokens still use the validity period configured in the app policies. If it’s longer than 30 days, the idle TTL limit also applies. For example, if the configured validity period is 1 year, idle tokens still expire after 30 days. With continuous use, tokens can last up to 1 year. |
Not applicable |
| Expire refresh token if not used for number unit of time | This validity period configured in this policy already works as an idle TTL with a sliding window. The only change is that the configured validity period can’t be longer than 30 days. | Salesforce doesn’t automatically update the UI or metadata to reflect this change.
|
To turn on the idle TTL limit, take these steps.
- From Setup, in the Quick Find box, enter App and then click App Manager.
- Find your app and click Edit.
- In the API (Enable OAuth Settings) section, turn on Limit Idle Refresh Token Time-to-Live (TTL) to 30 Days.
- Save your change.
- Click Manage, and then select Edit Policies.
- Fix any inconsistencies with the behavior, UI, and metadata. For specific information about what metadata types and fields to update, refer to the table above.
