Our sales team updated the Salesforce Mobile app to Winter '24 version last week, and now approximately 40% of users are experiencing continuous login loops. They enter credentials, the app shows a loading spinner, then returns to the login screen without any error message.
I’ve checked the OAuth callback URL in our Connected App settings and it matches the standard Salesforce Mobile configuration:
salesforce://success
com.salesforce.chatter://oauth_callback
The issue affects both iOS and Android users randomly. Some users on the same device models work fine while others are stuck. Session settings show standard timeout values (2 hours), and I’ve verified the app version is 25.2.1 which should be compatible with Winter '24.
Mobile session tokens appear to be created in Setup → Session Management, but users still can’t access the app. Has anyone resolved login loop issues after Winter '24 updates? Our field sales team is unable to work.
Winter '24 introduced enhanced OAuth security for mobile apps. Check if your Connected App has “Require Secret for Web Server Flow” enabled - this can cause login loops if the mobile app configuration wasn’t updated accordingly. The callback URL looks correct, but verify the Connected App is set to use OAuth 2.0 Mobile Device Flow specifically.
That permitted users setting shouldn’t cause login loops, but it might affect initial authorization. The real issue with Winter '24 is app version compatibility validation. Check your Mobile Publisher settings under Setup → Mobile Publisher → Salesforce Mobile App. There might be minimum version requirements that conflict with cached sessions from older app versions. Users need to fully uninstall and reinstall the app to clear OAuth token cache.
Quick diagnostic: Have affected users try logging in via browser on their mobile device (not the app). If that works, it’s definitely an app-specific OAuth issue. If browser login also fails, it’s a broader authentication or IP restriction problem.
Here’s the complete solution addressing all three focus areas:
OAuth Callback URL Configuration:
While your callback URLs are correct, Winter '24 requires explicit OAuth scope configuration in the Connected App. Navigate to Setup → App Manager → [Your Mobile Connected App] → Manage → Edit Policies.
Ensure these OAuth scopes are selected:
- Full access (full)
- Perform requests at any time (refresh_token, offline_access)
- Access unique user identifiers (openid)
Verify the callback URL includes both:
salesforce://success
com.salesforce.chatter://oauth_callback
Critical: Add this callback for Winter '24 compatibility:
salesforceapp://oauth_callback
Mobile Session Token Reset Process:
Winter '24 changed session token validation. Implement this three-step reset:
- Revoke existing sessions: Setup → Users → [Affected User] → Session Information → Expire All Sessions
- Clear Connected App authorizations: Setup → Connected Apps OAuth Usage → Select your mobile app → Revoke all tokens
- Force app cache clear: Instruct users to:
- iOS: Delete app → Restart device → Reinstall from App Store
- Android: Settings → Apps → Salesforce → Storage → Clear Data → Clear Cache → Reinstall
App Version Compatibility Fix:
The 40% failure rate suggests a gradual rollout issue. Winter '24 introduced stricter app version validation:
- Verify minimum version: Setup → Mobile Publisher → Mobile App Management. Ensure minimum version is set to 25.0 or higher (25.2.1 is correct)
- Check deployment status: Some users might have auto-update disabled. Run this SOQL to identify outdated app versions:
SELECT UserId, Application, Version, LastModifiedDate
FROM LoginHistory
WHERE LoginTime = LAST_N_DAYS:7 AND Application LIKE '%Salesforce%Mobile%'
- Update Connected App API version: Edit Connected App → API Version → Set to 59.0 (Winter '24)
Root Cause: Winter '24 invalidated OAuth tokens from pre-59.0 API versions when app version validation was enabled. The cached tokens from older sessions are incompatible with the new security model.
Implementation Steps:
- Add the new callback URL (salesforceapp://oauth_callback)
- Update Connected App API version to 59.0
- Revoke all existing mobile OAuth tokens
- Deploy mobile app configuration update notification to all users
- Provide clear reinstall instructions
- Monitor LoginHistory for successful authentications
Prevention: Enable “Require app version 25.0 or higher” in Mobile Publisher settings before major releases. This forces users to update before authentication changes take effect, preventing login loop scenarios.
After implementing these changes, affected users should be able to log in successfully. The login loop occurs because the app attempts to use cached tokens that fail Winter '24 validation, triggering repeated authentication attempts without clear error messages.
I encountered this exact scenario. The issue is that Winter '24 changed how mobile session tokens are validated against app versions. If users have cached authentication data from pre-Winter '24, the tokens become invalid after the org upgrade. The solution involves clearing cached credentials on affected devices and ensuring the Connected App policy allows for token refresh. Have you checked the Connected App’s Session Policies? Specifically, look at “Refresh Token Policy” - it should be set to either “Refresh token is valid until revoked” or have an appropriate timeout configured.
Checked the Connected App settings. Refresh Token Policy is set to “Refresh token is valid until revoked” which seems correct. However, I noticed the Permitted Users setting is “Admin approved users are pre-authorized”. Could this be related?
Also verify your session security settings. Navigate to Setup → Session Settings and check “Lock sessions to the IP address from which they originated” and “Enforce login IP ranges on every request”. If these are enabled and your mobile users have dynamic IPs, it can cause repeated authentication failures that manifest as login loops.