Salesforce Provisioning Error "Authorization failed, unable to refresh Access Token for salesforce"
Oct 15, 2025
Okta Integration Network
Overview
Salesforce provisioning flow fails with the following error visible in the Okta dashboard:
Error message: Automatic provisioning of user to app Salesforce.com failed: com.sun.jersey.api.client.ClientHandlerException: Authorization failed, unable to refresh Access Token for salesforce
Applies To
- Salesforce
- Provisioning
- Error
Cause
In Salesforce, the Refresh Token Policy is not set to Refresh token is valid until revoked for the connected OAuth app.
Solution
- In Salesforce, navigate to the connected OAuth app. Click the Manage button on the page where the Consumer Key and Consumer Secret are located. Verify that the Refresh Token Policy is set to Refresh token is valid until revoked.
- If it is not set, click the Edit Policies button and set it to Refresh token is valid until revoked.
Also, verify that these OAuth scopes are selected for the Connected OAuth App:
- After making the changes, go to the Okta admin panel and navigate to Applications > Salesforce > Provisioning > Integration > Edit.
- Click Re-authenticate with Salesforce.com.
- In the new Salesforce.com window, enter the administrator username and password used to create the Connected OAuth App.
- Click Allow to permit access to the Connected App.
- Click Save.
- Attempt the failed Okta task again.
