ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Create a Connected App
Test Push Notifications
Edit a Connected App
Manage Access to a Connected App
Manage Third-Party Connected Apps
Install a Connected App
Uninstall a Third-Party Connected App
Manage Start URL Settings for a Connected App
Manage OAuth Access Policies for a Connected App
Connected App IP Relaxation and Continuous IP Enforcement
Manage Session Policies for a Connected App
Manage Mobile Policies for a Connected App
Manage Access Through a Custom Connected App Handler
Manage Other Access Settings for a Connected App
User Provisioning for Connected Apps
Manage Current OAuth Connected App Sessions
Manage OAuth-Enabled Connected Apps Access to Your Data
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Manage OAuth Access Policies for a Connected App

Configure OAuth access policies for OAuth-enabled connected apps. These policies include defining which users can access a connected app, what IP restrictions apply to the connected app, and how long a refresh token is valid for.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

User Permissions Needed
To read, create, update, or delete connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
To install and uninstall connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To install and uninstall packaged connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps

AND Download AppExchange Packages
  1. From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
  2. Click Edit next to the connected app that you are configuring access for.
  3. Under OAuth Policies, click the Permitted Users dropdown menu and select one of the following options.
    • All users may self-authorize—Default. Allows all users in the org to authorize the app after successfully signing in. Users must approve the app the first time they access it.
    • Admin approved users are pre-authorized—Allows only users with the associated profile or permission set to access the app without first authorizing it. After selecting this option, manage profiles for the app by editing each profile’s Connected App Access list. Or manage permission sets for the app by editing each permission set’s Assigned Connected App list.

      In a Group Edition org, you can’t manage individual user access with profiles. However, you can manage all users’ access when you edit a connected app’s OAuth settings.

      Note

      If you switch from All Users may self-authorize to Admin-approved users are pre-authorized, anyone using the app loses access, unless a user’s permission authorizes the connected app specifically. In addition, if users have the Use Any API Client permission, they can access any connected app—even if its Permitted Users setting is set to Admin-approved users are pre-authorized. Be careful when using the Use Any API Client permission. As the name implies, you’re giving up your control over authorization.

      Warning

  4. Click the IP Relaxation dropdown menu, and select one of the following options to determine whether a user’s access to the app is restricted by IP ranges.
    • Enforce IP restrictions—Default. Enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile.
    • Enforce IP restrictions, but relax for refresh tokens—Enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile. However, this option bypasses these restrictions when the connected app uses refresh tokens to get access tokens.
    • Relax IP restrictions for activated devices—Allows a user running the app to bypass the org’s IP restrictions when either of these conditions is true.
      • The app has a whitelist of IP ranges and is using the web server authentication flow. Only requests coming from the whitelisted IPs are allowed.
      • The app doesn’t have an IP-range whitelist, but it uses the web server authentication flow, and the user successfully completes identity verification if accessing Salesforce from a new browser or device.
    • Relax IP restrictions—Allows a user to run this app without org IP restrictions.

    If you relax IP restrictions for your connected app and your org has Enforce login IP ranges on every request enabled, the access to your connected app can change. See Connected App IP Relaxation and Continuous IP Enforcement. Also, IP restrictions are enforced only if they are configured on a user’s profile. The SAML bearer assertion and JWT bearer token flows always enforce IP restrictions regardless of the connected app policy.

    Note

  5. Select Enable Single Logout to automatically log users out of the connected app service provider when they log out of Salesforce.
  6. If you selected Enable Single Logout, enter a single logout URL. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL starting with https://.
  7. Select a Refresh Token Policy to determine how long a refresh token is valid for.
    If refresh tokens are provided, users can continue to access the OAuth-enabled connected app without having to reauthorize when the access token expires (defined by the session timeout value). The connected app exchanges the refresh token with an access token to start a new session. The Refresh Token policy is evaluated only during usage of the issued refresh token and doesn’t affect a user’s current session. Refresh tokens are required only when a user’s session has expired or isn’t available.
    For example, you set a refresh token policy to expire the token after 1 hour. If a user uses the app for 2 hours, the user isn’t forced to reauthenticate after 1 hour. However, the user is required to authenticate again when the session expires and the client attempts to exchange its refresh token for a new session.
    • Refresh token is valid until revoked—Default. The refresh token is used indefinitely, unless revoked by the user or Salesforce admin.

      Revoke tokens on a user’s detail page under OAuth Connected Apps or on the OAuth Connected Apps Usage Setup page.

    • Immediately expire refresh token—The refresh token is invalid immediately. The user can use the current session (access token) already issued, but can’t obtain a new session when the access token expires.
    • Expire refresh token if not used for n—The refresh token is valid as long as it’s been used within the specified amount of time. For example, if set to seven days, and the refresh token isn’t exchanged for a new session within seven days, the next attempt to use the token fails. The expired token can’t generate new sessions. If the refresh token is exchanged within seven days, the token is valid for another seven days. The monitoring period of inactivity also resets.
    • Expire refresh token after n—The refresh token is valid for a fixed amount of time. For example, if the policy states one day, the user can obtain new sessions only for 24 hours.
If your connected app is a canvas app that uses signed request authentication:
  • Set Permitted Users to Admin-approved users are pre-authorized.
  • Set Expire Refresh Tokens to Immediately expire refresh token.
  • Give users access via profiles and permission sets.