ExtlClntAppOauthConfigurablePolicies

Represents the policies configured by the admin for an OAuth-enabled external client app.

Parent Type

This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

ExtlClntAppOauthConfigurablePolicies components have the suffix .ecaOauthPlcy and are stored in the extlClntAppOauthPolicies folder.

Version

ExtlClntAppOauthConfigurablePolicies components are available in API version 59.0 and later.

Special Access Rules

The View all External Client Apps, view their settings, and edit their policies user permission is required for users with admin roles to configure OAuth policies.

Fields

Field Name Description
apexHandler
Field Type
string
Description
Name of the Apex handler. Available in API version 61.0 and later.
clientCredentialsFlowUser
Field Type
string
Description
The execution user for the OAuth 2.0 client credentials flow. Salesforce returns access tokens on behalf of this user. This user must have the API Only permission. Available in API version 60.0 and later.
commaSeparatedCustomScopes
Field Type
string
Description
Custom scope names in a comma-separated list. Available in API version 61.0 and later.
commaSeparatedPermissionSet
Field Type
string
Description
Permission set IDs in a comma-separated list. This field or commaSeparatedProfile is used when permittedUsersPolicyType is set to AdminApprovedPreAuthorized.
commaSeparatedProfile
Field Type
string
Description
Profiles in a comma-separated list. This field or commaSeparatedPermissionSet is used when permittedUsersPolicyType is set to AdminApprovedPreAuthorized.
customAttributes
Field Type
ExtlClntAppOauthPoliciesAttribute[]
Description
Unique attributes to be included as admin defaults. The maximum number accepted is 128. Each custom attribute must have a unique key and use an available field.
executeHandlerAs
Field Type
string
Description
Username of the Apex handler's execution user. Available in API version 61.0 and later.
externalClientApplication
Field Type
string
Description

Required.

The name of the external client app associated with this OAuth policies file.
guestJwtTimeout
Field Type
int
Description
If guestJwtSessionTimeoutType is set to Custom, this field defines the amount of time before a JWT-based access token issued to a guest user expires. Values are in minutes.

These values are available in API version 61.0 and later.

  • 1—1 Minute
  • 5—5 Minutes
  • 10—10 Minutes
  • 15—15 Minutes
  • 30—30 Minutes
These values are available in API version 65.0 and later.
  • 60—1 Hour
  • 90—90 Minutes
  • 120—2 Hours
  • 240—4 Hours
  • 480—8 Hours
  • 720—12 Hours

If guestJwtSessionTimeoutType is set to UserSession, omit this field.

guestJwtSessionTimeoutType
Field Type
JWTSessionTimeoutType (enumeration of type string)
Description
Specifies how the JWT-based access token timeout is defined for guest users. Valid values are:
  • UserSession—Salesforce uses the value from the sessionTimeout field in the ProfileSessionSetting type for the Experience Cloud guest user profile.

    If there's no profile session timeout for the user, Salesforce uses the sessionTimeout value from the SessionSettings type.

    If both are defined, Salesforce defaults to the profile session timeout.

  • Custom—Salesforce uses the value from the guestJwtTimeout field.

Available in API version 65.0 and later.

ipRelaxationPolicyType
Field Type
string
Description

The policy that determines IP restrictions.

Values are:

  • Enforce
  • Bypass
  • Bypass_2factor
  • Enforce_RelaxRefresh
isClientCredentialsFlowEnabled
Field Type
boolean
Description
If true, the client credentials flow is enabled. The default value is false. Available in API version 60.0 and later.
isGuestCodeCredFlowEnabled
Field Type
boolean
Description
If true, the external client app can use the guest user variation of the Authorization Code and Credentials Flow. To use this flow variation, the external client app must also be configured to issue JWT-based access tokens. The default value is false. Available in API version 61.0 and later.
isNamedUserJwtEnabled
Field Type
boolean
Description
Deprecated.
If true, the external client app issues JWT-based access tokens instead of opaque access tokens. If this field is available, it means that the isNamedUserJwtEnabled field in the ExtlClntAppGlobalOauthSettings type is set to true.
The default value is false.
isTokenExchangeFlowEnabled
Field Type
boolean
Description
If truetrue, the token exchange flow is enabled. The default value is false. Available in API version 60.0 and later.
label
Field Type
string
Description
The OAuth policies name for the external client app.
namedUserJwtTimeout
Field Type
int
Description
If namedUserJwtSessionTimeoutType is set to Custom, the amount of time before a JWT-based access token issued to a named user expires. Values are in minutes.

These values are available in API version 61.0 and later.

  • 1—1 Minute
  • 5—5 Minutes
  • 10—10 Minutes
  • 15—15 Minutes
  • 30—30 Minutes
These values are available in API version 65.0 and later.
  • 60—1 Hour
  • 90—90 Minutes
  • 120—2 Hours
  • 240—4 Hours
  • 480—8 Hours
  • 720—12 Hours

If namedUserJwtSessionTimeoutType is set to UserSession, omit this field.

namedUserJwtSessionTimeoutType
Field Type
JWTSessionTimeoutType (enumeration of type string)
Description
Specifies how the JWT-based access token timeout is defined for named users. Valid values are:
  • UserSession—Salesforce uses the value from the sessionTimeout field in the ProfileSessionSetting type for the named user's profile.

    If there's no profile session timeout for the user, Salesforce uses the sessionTimeout value from the SessionSettings type.

    If both are defined, Salesforce defaults to the profile session timeout.

  • Custom—Salesforce uses the value from the namedUserJwtTimeout field.

Available in API version 65.0 and later.

permittedUsersPolicyType
Field Type
PermittedUsersPolicyType (enumeration of type string)
Description
The policy that determines which users are allowed in the external client app.

Values are:

  • AdminApprovedPreAuthorized
  • AllSelfAuthorized
policyAction
Field Type
PolicyAction (enumeration of type string)
Description
Requires users to verify their identity with two-factor authentication when they log in to the external client app. Use RaiseSessionLevel along with requiredSessionLevel to determine the security posture.

Values are:

  • Block
  • RaiseSessionLevel
refreshTokenPolicyType
Field Type
RefreshTokenPolicyType (enumeration of type string)
Description
The type of policy that determines when a token must be refreshed.

Values are:

  • Infinite
  • SpecificInactivity
  • SpecificLifetime
  • Zero
refreshTokenValidityPeriod
Field Type
int
Description
The number of units of measure used to specify validity when refresh token policy type is set to SpecificInactivity or SpecificLifetime.
refreshTokenValidityUnit
Field Type
string
Description
The unit of measurement that is used to specify validity when refresh token policy type is set to SpecificInactivity or SpecificLifetime.

Values are:

  • Days
  • Hours
  • Months
requiredSessionLevel
Field Type
SessionSecurityLevel (enumeration of type string)
Description
Defines the security posture.

Values are:

  • HIGH_ASSURANCE
  • LOW
  • STANDARD
sessionTimeoutInMinutes
Field Type
int
Description
Length of time the external client app’s session lasts. This field applies only if the app issues opaque tokens.
singleLogoutUrl
Field Type
string
Description
URL where Salesforce sends a logout request when users log out of Salesforce.
startUrl
Field Type
string
Description
URL where users are directed after they authenticate.

ExtlClntAppOauthPoliciesAttribute

Represents admin-defined attributes that provide personal information to customize the external client app for a specific use case.

Field Name Description
formula
Field Type
string
Description

Required.

The existing field that includes the desired information. For example, Organization.Country.
key
Field Type
string
Description

Required.

A unique name for the attribute. For example, country.

Declarative Metadata Sample Definition

This example shows an ExtlClntAppOauthConfigurablePolicies component.

1<?xml version="1.0" encoding="UTF-8"?>
2<ExtlClntAppOauthConfigurablePolicies xmlns="http://soap.sforce.com/2006/04/metadata">
3    <externalClientApplication>myeca</externalClientApplication>
4    <label>myecapolicy</label>
5    <apexHandler>MyEcaOauthApexHandler</apexHandler>
6    <executeHandlerAs>admin@example.org</executeHandlerAs>
7    <refreshTokenPolicyType>SpecificLifetime</refreshTokenPolicyType>
8    <refreshTokenValidityPeriod>1</refreshTokenValidityPeriod>
9    <refreshTokenValidityUnit>Days</refreshTokenValidityUnit>
10    <ipRelaxationPolicyType>Enforce</ipRelaxationPolicyType>
11    <permittedUsersPolicyType>AdminApprovedPreAuthorized</permittedUsersPolicyType>
12    <commaSeparatedPermissionSet>PermSetExample</commaSeparatedPermissionSet>
13    <commaSeparatedCustomScopes>CustomScopeExample</commaSeparatedCustomScopes>
14    <sessionTimeoutInMinutes>1</sessionTimeoutInMinutes>
15    <requiredSessionLevel>HIGH_ASSURANCE</requiredSessionLevel>
16    <policyAction>RaiseSessionLevel</policyAction>
17    <singleLogoutUrl>https://www.example.com</singleLogoutUrl>
18    <startUrl>https://www.example.com</startUrl>
19    <guestJwtSessionTimeoutType>UserSession</guestJwtSessionTimeoutType>
20    <namedUserJwtSessionTimeoutType>Custom</namedUserJwtSessionTimeoutType>
21    <namedUserJwtTimeout>10</namedUserJwtSessionTimeout>
22</ExtlClntAppOauthConfigurablePolicies>

This example package.xml that references the previous definition.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>*</members>
5        <name>ExternalClientApplication</name>
6    </types>
7    <types>
8        <members>*</members>
9        <name>ExtlClntAppOauthSettings</name>
10    </types>
11    <types>
12        <members>*</members>
13        <name>ExtlClntAppGlobalOauthSettings</name>
14    </types>
15    <types>
16        <members>*</members>
17        <name>ExtlClntAppOauthConfigurablePolicies</name>
18    </types>
19    <types>
20        <members>*</members>
21        <name>ExtlClntAppConfigurablePolicies</name>
22    </types>
23    <version>60.0</version>
24</Package>

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.