Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure a Connected App for the Authorization Code and Credentials Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure a Connected App for the Authorization Code and Credentials Flow

            The Authorization Code and Credentials Flow is the foundation of headless login, registration, passwordless login, and guest user identity. Before setting up these features, enable the Authorization Code and Credentials Flow at an org-wide level and configure required settings and access policies for your connected app.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions
            User Permissions Needed
            To read, create, update, or delete connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
            To rotate the consumer key and consumer secret: Allow consumer key and secret rotation
            To install and uninstall connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To install and uninstall packaged connected apps:

            Download AppExchange Packages AND Customize Application AND either

            Modify All Data OR Manage Connected Apps

            For connected apps installed as part of a package, keep these considerations in mind.

            • If you installed an app with the Authorization Code and Credentials Flow enabled in a subscriber org, you can skip to step 4. The app developer in the publishing org already completed steps 1 through 3 for you.
            • If the Authorization Code and Credentials Flow isn’t enabled for a connected app in the publishing org, you can’t use the flow for your installed app in the subscriber org.

            If you plan to use the guest flow to pass UVID values into a named user flow, your connected app must also be configured to issue JSON Web Token (JWT)-based access tokens. For steps, see Configure a Connected App to Issue JWT-Based Access Tokens.

            1. To access Authorization Code and Credentials Flow settings, allow connected apps to access the flow from the OAuth and OpenID Connect Settings page.
              Note
              Note By default, the Authorization Code and Credentials Flow is blocked for all connected apps.
              1. From Setup, in the Quick Find box, enter OAuth, and then select OAuth and OpenID Connect Settings.
              2. Turn on Allow Authorization Code and Credentials Flows.
              You can now access connected app settings for the Authorization Code and Credentials Flow.
            2. Create your connected app and complete its basic information.
            3. Set up the basic OAuth settings for the app, including these settings.
              1. Enable OAuth.
              2. Enter a callback URL.
              3. Assign scopes to the app.
            4. Configure these specific settings for the Authorization Code and Credentials Flow.
              1. (Optional) To require the Proof Key for Code Exchange (PKCE) extension for your flow, select Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows. With this setting selected, you must implement PKCE when you build your flow. We strongly recommend PKCE for public clients because these apps can’t use the consumer secret to protect the code exchange. We also recommend it for private clients, but it’s less critical.
              2. Select Enable Authorization Code and Credentials Flow.
              3. (Optional) To require your third-party client app to send the user’s credentials in the body of HTTP POST requests to the authorization endpoint, select Require user credentials in the POST body for Authorization Code and Credentials Flow.
                With this setting enabled, you can’t use the GET method for the authorization request, and you can’t include user credentials in a Basic authorization header.
              4. If you’re using a client backend to implement this flow for a private client, select Require Secret For Web Server Flow and Require Secret for Refresh Token Flow. Ensure that your client backend can keep the consumer secret secure.
              5. If you’re using this flow for a public client, deselect Require Secret For Web Server Flow and Require Secret for Refresh Token Flow to avoid exposing the consumer secret to the browser.
              6. Save your settings.
            5. Configure access policies for your connected app.
              1. From the connected app detail page, click Manage, then click Edit Policies.
              2. Under OAuth Policies, for Permitted Users, select Admin-approved users are pre-authorized from the dropdown.
              3. To define which users are admin-approved, manage profiles for the app by editing each profile’s Connected App Access list. Or manage permission sets by editing each permission set’s Assigned Connected App list. For more information on editing profiles and permission sets, see Manage Other Access Settings for a Connected App.
              If you’re configuring the connected app for headless login, registration, or passwordless login, your app is ready to go. Save your changes and stop here. If you’re building the guest flow, go to the next step.
            6. Configure policies for the guest user flow.
              1. Under Authorization Code and Credentials Flow, select Enable for Guest Users.
              2. Select an option for the guest user token timeout.
                Timeout Option Description
                Use the Experience Cloud guest user timeout Salesforce uses the timeout defined in the guest user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout.
                Set app-specific token timeout Select a timeout value that applies only to this app.
              3. Save your changes.

            You can now configure all variations of the Authorization Code and Credentials Flow between your app and a Salesforce Experience Cloud site.

            To disable the Authorization Code and Credentials Flow on a connected app, deselect Enable Authorization Code and Credentials Flow from your connected app settings. Deselecting this setting prevents your third-party app from getting new access tokens, but it doesn’t revoke existing ones. To revoke access tokens, see Manage Current OAuth Connected App Sessions.

            You can also block all connected apps from using the flow from the OAuth and OpenID Connect Settings page.

             
            Loading
            Salesforce Help | Article