ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Create a Secure Solution
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Create a Connected App
Configure Basic Connected App Settings
Enable OAuth Settings for API Integration
Integrate Service Providers as Connected Apps with SAML 2.0
Create a Connected App for Mobile App Integration
Create a Custom Connected App Handler
Expose Your Connected App as a Canvas App
Test Push Notifications
Edit a Connected App
Manage Access to a Connected App
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Enable OAuth Settings for API Integration

You can use a connected app to request access to Salesforce data on the behalf of an external application. For a connected app to request access, it must be integrated with the Salesforce API using the OAuth 2.0 protocol. OAuth 2.0 is an open protocol that authorizes secure data sharing between applications through the exchange of tokens. When developers or independent software vendors (ISV) want to integrate their app with Salesforce, they use OAuth APIs. These OAuth APIs enable a user to work in one app but see the data from another.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

User Permissions Needed
To read, create, update, or delete connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
To install and uninstall connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To install and uninstall packaged connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps

AND Download AppExchange Packages
  1. Create your connected app, and complete its basic information.
  2. In the API (Enable OAuth Settings) area of the page, select Enable OAuth Settings.
  3. If you’re setting up a connected app for an external application on a device with limited input or display capabilities, such as TVs, appliances, or command-line applications, select Enable for Device Flow.
    A callback URL isn’t used in the device flow. However, when this flow is enabled, the value for the callback URL defaults to a placeholder. You can specify a callback URL if needed, such as when this same client is being used for a different flow.
  4. Enter the callback URL (endpoint) that Salesforce calls back to your application during OAuth. It’s the same as the OAuth redirect URI.
    Depending on which OAuth flow you use, the URL is typically the one that a user’s browser is redirected to after successful authorization.
    Because this URL is used for some OAuth flows to pass an access token, the URL must use secure HTTPS or a custom URI scheme.
    If you enter multiple callback URLs, at run time Salesforce matches the callback URL value specified by the app with one of the values in Callback URL. It must match one of the values to pass validation. Separate multiple callback URLs with line breaks. The callback URL field has a limit of 2000 characters, cumulatively. If you enter several URLs and they exceed this limit, create another connected app to manage more callback URLs.
  5. If you’re using the JWT OAuth flow, select Use Digital Signatures. If the app uses a certificate, click Choose File, and select the certificate on your system to upload for the JWT OAuth flow.
  6. Select the OAuth scopes to apply to the connected app. OAuth scopes define permissions for the connected app, which are granted as tokens after the app is authorized. The OAuth token name is in parentheses.
    Value Description
    Access and manage your Chatter feed (chatter_api) Allows access to Chatter REST API resources only.
    Access and manage your data (api) Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API. This value also includes chatter_api, which allows access to Chatter REST API resources.
    Access your basic information (id, profile, email, address, phone) Allows access to the identity URL service. You can request profile, email, address, or phone, individually to get the same result as using id; they are all synonymous.
    Access custom permissions (custom_permissions) Allows access to the custom permissions in an organization associated with the connected app, and shows whether the current user has each permission enabled.
    Allow access to your unique identifier (openid) Allows access to the current, logged in user’s unique identifier for OpenID Connect apps.

    In the OAuth 2.0 user-agent flow and the OAuth 2.0 web server flow, use the openid scope. This scope enables you to receive a signed ID token that conforms to the OpenID Connect specifications in addition to the access token.
    Full access (full) Allows access to all data accessible by the logged-in user, and encompasses all other scopes. full does not return a refresh token. You must explicitly request the refresh_token scope to get a refresh token.
    Perform requests on your behalf at any time (refresh_token, offline_access) If the app is eligible to receive a refresh token, allows one to be returned. This scope lets the app interact with the user’s data while the user is offline. The refresh_tokenscope is synonymous with offline_access.
    Provide access to custom applications (visualforce) Allows access to customer-created Visualforce pages. Doesn’t allow access to standard Salesforce UIs.
    Provide access to your data via the Web (web) Allows the ability to use the access_token on the web, and includes visualforce, allowing access to customer-created Visualforce pages.
  7. Select Require Secret for the Web Server Flow to require the app’s client secret in exchange for an access token.

    If the client app can’t keep the client secret confidential and it must use the web server flow, deselect Require Secret for Web Server Flow. We still generate a client secret for your app, but this setting instructs the web server flow not to require the client_secret parameter in the access token request. We recommend user agent as a more secure option than web server flow without the secret.

    Important

  8. To authorize a single connected app to introspect all access and refresh tokens within the entire org, select Introspect all tokens.
    By default, all connected apps can introspect their own tokens. In addition, an OAuth client that directly registers OAuth 2.0 connected apps through the dynamic client registration endpoint can check the tokens for itself and its registered apps. See OpenID Connect Token Introspection.
  9. To control how the OAuth request handles the ID token, select Configure ID token.
    If the OAuth request includes the Allow access to your unique identifier (openid) scope, the returned token can include the ID token.
    • The ID token is always included in access token responses.
    • With the primary ID token setting enabled, configure the secondary settings that control the ID token contents in both access and refresh token responses. Specify these settings.
      Setting Description
      Token Valid for The length of time that the ID token is valid for after it’s issued. The period can be from 1 to 720 minutes. The default is 2 minutes.
      ID Token Audiences The intended consumers of the ID token. For example, the target service where you use the ID token, such as https://your_service.com.
      Include Standard Claims Include the standard claims that contain information about the user, such as the user’s name, profile, phone number, and address. The OpenID Connect specifications define a set of standard claims to be returned in the ID token.
      Include Custom Attributes If your app has specified custom attributes, include them in the ID token.
      Include Custom Permissions If your app has specified custom permissions, include them in the ID token.
  10. If you’re setting up the app to issue asset tokens for connected devices, select Enable Asset Tokens.
    • Specify these settings.
      Setting Description
      Token Valid for The length of time that the asset token is valid after it’s issued.
      Asset Signing Certificate The self-signed certificate that you’ve already created for signing asset tokens.
      Asset Audiences The intended consumers of the asset token. For example, the back-end service for your connected device, such as https://your_device_backend.com.
      Include Custom Attributes If your app has specified custom attributes, include them in the asset token.
      Include Custom Permissions If your app has specified custom permissions, include them in the asset token.
    • Make sure to specify the callback URL (endpoint). For example, https://your_device_backend.com/callback.
    • Select these OAuth scopes, which are required for asset tokens.
      • Access and manage your data (api)
      • Allow access to your unique identifier (openid)
  11. To automatically log users out of the connected app service provider when they log out of Salesforce, select Enable Single Logout.
  12. If you selected Enable Single Logout, enter a single logout URL. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL starting with https://.
    If your org had the No user approval required for users in this organization option selected on your remote access before the Spring ’12 release, users in the org are approved for the app. This option is selected to indicate the approval.
    For connected apps, after you’ve created an app, we recommend that admins install the app, and then set Permitted Users to Admin-approved users are pre-authorized on the app’s Edit Policies page. If the remote access option wasn’t originally selected, the option doesn’t show up.
  13. When you’ve configured all settings for your connected app, click Save.