Connected App - avoiding a limit on a number of issued tokens + token expiration
I see you've discovered most of this for yourself, but I had this drafted, so I thought I'd post it also, in case it fills in any gaps.
From the docs on connected apps:
An application may be listed more than once. Each time you grant access to an application, it obtains a new access token. Requests for refresh tokens increase the Use Count displayed for the application. You must grant access to your Salesforce data from each device that you use, for example, from both a laptop and a desktop computer. The default limit is five access tokens for each application. Newer applications (using the OAuth 2.0 protocol) are automatically approved for additional devices after you've granted access once. OAuth 2.0 applications can be listed more than once. Each row in the table represents a unique grant, so if an application requests multiple tokens with different scopes, you’ll see the same application multiple times.
A given user may only have 5 access tokens authorized for a given connected app. Since each refresh token can potentially issue an access token, they are counted in that total. The way to think about this is that only the most recent 5 authorizations are valid. When the user goes through login the sixth time, the oldest authorization is invalidated and that refresh token will no longer work.
How do you manage this? Don't ask for a refresh token if you're not going to use it. Don't use the same connected app for interactive and 'batch' operations. If you want to keep a refresh token around, then create a connected app for that purpose, and use a different one for login.
Finally, consider using the JWT Bearer Token flow rather than holding on to a refresh token obtained interactively. It will give you much more predictable behavior.
https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_request_manage.htm
An application may be listed more than once. Each time you grant access to an application, it obtains a new access token. Requests for refresh tokens increase the Use Count displayed for the application. You must grant access to your Salesforce data from each device that you use, for example, from both a laptop and a desktop computer. The default limit is five access tokens for each application. Newer applications (using the OAuth 2.0 protocol) are automatically approved for additional devices after you've granted access once. OAuth 2.0 applications can be listed more than once. Each row in the table represents a unique grant, so if an application requests multiple tokens with different scopes, you’ll see the same application multiple times.
Even if the connected app tried and failed to access your information because it could not login, the Use Count and Last Used fields are still updated.
It appears that SFDC treats every individual "sign in" as a new device requesting OAuth access via your Connected App. The example they provided about needing to grant access on a laptop and desktop is very misleading because it has absolutely nothing to do with "devices" at all! SFDC merely remembers the last 5 OAuth granted tokens at any given time. (Revoking doesn't help either)
For example, if a user signs in and grants your Connected App access on a desktop website and then later signs in using a mobile app that user will have used up 2 of the 5 devices. If that user simply signs out of either the mobile app or website and and signs in again they will have used 3 of the 5. If the user repeats this sign in process 2 more times then the first device that was granted access will be revoked. If your app had stored the RefreshToken only from that first sign in and never from the subsequent sign ins then your app's token will be invalid and be unable to communicate with SFDC.