Configure Advanced Authentication Flows

The standard External Client App (ECA) setup for Tableau Next embedding uses the Authorization Code and Credentials Flow. If your app requires non-interactive, server-to-server authentication or certificate-based user authorization, you can configure other OAuth flows using the Salesforce External Client App Manager.

User Permissions Needed
To view Saleforce Setup:View Setup and Configuration
To manage External Client Apps in Salesforce Setup:Create, edit, and delete External Client Apps
To assign permission sets:Assign Permission Sets

This flow assumes you've created your ECA in Tableau Next and are now editing it for more options.

  1. From the Salesforce Setup page, enter External in the Quick Find box, and then select External Client App Manager.

  2. For your existing ECA, in the dropdown menu, select Edit Settings. Edit the settings for your existing External Client App.

  3. Open the OAuth Setting section.

    Edit the OAuth settings for an existing external client app.

  4. For OAUTH Scopes, select the scopes you need for your flow.

  5. In the Flow Enablement section, select the appropriate flow for your web app.

    • The Client Credentials Flow only works with the Manage user data via APIs (api), Access Lightning applications (lightning), or Manage user data via Web browsers(web) OAuth Scopes.
    • If you select JWT Bearer Flow, upload a valid public certificate file. Additional setup is needed. See the steps below.

  6. For Security, select Require secret for Refresh Token and any other options you need.

  7. Save your changes.

If you’re generating an access token, on the Settings tab, click Consumer Key and Secret to copy and save the values. You need the consumer key value for the client_id and the consumer secret value for the client_secret.

To use the JWT Bearer authentication flow, after you create your ECA, you must follow these steps.

  1. In Salesforce Setup, enter Permission Sets in the Quick Find box, and then select Permission Sets
  2. Find the Tableau Next Consumer permission set and click Clone.
  3. Enter a label and API name. For example, set the label to Tableau Next Consumer JWT and the API name to TableauUserJWT.
  4. Save the customized permission set.

  1. In Salesforce Setup, enter External in the Quick Find box, and then select External Client App Manager.

  2. To edit your ECA, select it from the list of apps.

  3. Click Edit.

  4. In the OAuth Policies section, update the Permitted Users value to Admin approved users are pre authorized. Editing the OAuth Polices plug-in policy.

  5. In the App Policies section, add the custom permission set to the Selected Permission Sets list. Add the custom permission set to the App Policies.

  6. Save and close.

For your users that are viewing embedded Tableau Next assets in your web app, assign the custom permission set in place of the standard Tableau Next Consumer permission set. This adds users for pre-authorization. For more information on assigning permission sets to users, see Assign Tableau Next User Permissions.