@Itzik Koren @Matt Bahrenburg @Chuck Mortimore
We ran into a documented issue where Auth. Providers don't refresh their access tokens unless a previous callout returned http 401. There's a large pool of potential integration partners within Czech banks that, unfortunately, return 403 as a response to an expired access token.
To my horror, they're following an API blue print (they've all agreed upon) that mandates to return 403 as a specific response in this case.
I put together an idea to make it configurable when an Auth. Provider refreshes the token: https://success.salesforce.com/ideaView?id=0873A000000CXzjQAG and would like to run it past you to gather some more feedback before mobilizing the community. (The idea's about the custom Apex-based Auth. Provider but I trust the same limitation applies to the standard ones too.)
Currently, the solution we have is more a workaround using old-school VF page-based OAuth dance + custom settings instead of a proper Auth. Provider + Named Credential. It has a few drawbacks, too, I don't really like for the purpose.
Would be really happy to know your opinion on a case like this and if there's perhaps something like that on the roadmap.
Thank you!
