If a Salesforce content, Visualforce, or Lightning page doesn’t load, you can use a new child_session parameter in the Salesforce OpenID Connect token introspection endpoint to discover its session status. For example, a page with a status of inactive (an expired session) or missing (a non-existent session) no longer has an authorized session, so the user must log back in to the Salesforce org.
Where: This change applies to Lightning Experience and Salesforce Classic in all editions.
Why: OAuth supports the extension of access tokens as a bridge to other authorization frameworks. In Salesforce, this extension is implemented when users access Salesforce content, Visualforce, and Lightning pages after successfully logging in to a Salesforce org. These pages launch as child sessions, using the org’s authenticated session as a bridge. However, if the child sessions don’t have a current access token from the org’s session, they fail to launch.
How: Include the new child_sessions parameter in POST requests to the Salesforce OpenID Connect token introspection endpoint. You can only include this parameter for introspection of active org sessions. It doesn’t work with introspection of refresh tokens.