Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Headless Identity APIs: Configure an External Client App for the Authorization Code and Credentials Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Headless Identity APIs: Configure an External Client App for the Authorization Code and Credentials Flow

            To integrate with Salesforce Headless Identity APIs, configure an external client app for the Authorization Code and Credentials Flow. Use the External Client App Manager in Setup. Or configure your external client app via Metadata API. External client apps support all variations of the Authorization Code and Credentials Flow, including headless login, passwordless login, registration, and guest user variations.

            Required Editions

            Available in: Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions
            User Permissions Needed
            To configure both settings and policies as an external client app developer: Create, edit, and delete External Client Apps
            To manage external client app policies as an external client app admin: View all External Client Apps, view their settings, and edit their policies

            For the Authorization Code and Credentials Flow, an external client app must have several settings and policies enabled. Your access to settings and policies depends on your role, as defined by your user permissions. Developers configure both settings and policies. They can use settings to control what policies admins can access. Admins configure only policies. If you’re an admin and you can’t find a certain policy, contact the app developer.

            • Use the External Client App Manager
              Use the External Client App Manager in Setup to configure an external client app for the Authorization Code and Credentials Flow.
            • Use Metadata API
              Use Metadata API to configure an external client app for the Authorization Code and Credentials Flow.

            Use the External Client App Manager

            Use the External Client App Manager in Setup to configure an external client app for the Authorization Code and Credentials Flow.

            To use the Authorization Code and Credentials Flow, it must be enabled for your org on the OAuth and OpenID Connect Settings page in Setup. Your external client app must be enabled for OAuth. The guest user variation of the Authorization Code and Credentials Flow supports only JSON Web Token (JWT)-based access tokens. To use this flow variation, enable your external client app to issue JWT-based access tokens.

            1. (Developers only) Edit the external client app settings. If you’re an admin, your developer enables these settings for you.
              1. From Setup, in the Quick Find box, enter External Client App, and then select External Client App Manager. Next to your app, click Dropdown, and then select Edit Settings.
              2. In OAuth Settings, in the Flow Enablement section, select Enable Code and Credential Flow.
              3. Control whether your app is required to send its consumer secret (client_secret) in requests to the token endpoint
                If you’re using a client backend to implement this flow for a private client, select Require user credentials in the POST body for Authorization Code and Credentials Flow. Ensure that your client backend can keep the consumer secret secure.
                If you’re using this flow with a public client, such as a single-page app, deselect Require user credentials in the POST body for Authorization Code and Credentials Flow to avoid leaking the consumer secret in the browser.
              4. (Optional) To require the Proof Key for Code Exchange (PKCE) extension for your flow, select Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows. We strongly recommend PKCE for public clients because these apps can’t use the consumer secret to protect the code exchange. We also recommend it for private clients, but it’s less critical.
              5. Save your changes.
                After you save the changes, Salesforce directs you to the external client app Policies tab.
            2. Edit the external client app policies.
              1. Go to the app’s Policies tab if you aren’t there already. From Setup, in the Quick Find box, enter External Client Apps, and then select External Client App Manager. Next to your app, click Dropdown, and then select Edit Policies.
              2. In App Policies, for Permitted Users, select Admin-approved users are pre-authorized.
              3. To admin-approve users, select permission sets assigned to your app’s users. For more information, see Permission Sets.
              4. Save your changes.
              Your app can now use the Authorization Code and Credentials Flow for headless login, passwordless login, and registration.
            3. To use your app for the guest user flow variation, configure these additional configurable OAuth policies.
              1. To enable the guest user variation, turn on Enable Code and Credentials Flow for Guest Users.
              2. To define how long the guest access token is valid after it’s issued, select an option for the Guest JSON Web Token (JWT) Timeout.
              3. Save your changes.

            Use Metadata API

            Use Metadata API to configure an external client app for the Authorization Code and Credentials Flow.

            To use the Authorization Code and Credentials Flow, the oAuthCdCrdtFlowEnable field on the OauthOidcSettings metadata type must be true.

            The OAuth plugin must also be enabled for your external client app. For more information, see these resources.

            The guest user variation of the Authorization Code and Credentials Flow supports only JSON Web Token (JWT)-based access tokens. To use this flow variation, enable your external client app to issue JWT-based access tokens.

            1. (Developers only) Configure these settings in the external client app’s global OAuth settings file.
              1. Set the isCodeCredFlowEnabled field to true.
              2. (Optional) For security, to require your app to send the user’s credentials in the body of a POST request to the authorization endpoint, set isCodeCredPostOnly to true. When set to false, you can use either a POST or a GET request, and the user’s credentials can be in the request body or in a Basic authorization header.
              3. To control whether your app is required to send its consumer secret (client_secret) in requests to the token endpoint, configure the isConsumerSecretOptional field.
                If you’re using a client backend to implement this flow for a private client, set this field to true. Ensure that your client backend can keep the consumer secret secure.
                If you’re using this flow with a public client, such as a single-page app, set this field to false to avoid leaking the consumer secret in the browser.
              4. (Optional) To require the Proof Key for Code Exchange (PKCE) extension for your flow, set isPkceRequired to true. We strongly recommend PKCE for public clients because these apps can’t use the consumer secret to protect the code exchange. We also recommend it for private clients, but it’s less critical.
              5. Deploy the changes.
            2. Modify the app’s configurable OAuth policies.
              1. Set the value for permittedUsersPolicyType to AdminApprovedPreAuthorized.
                Note
                Note Saving this change causes all users currently using the app to lose access.
              2. To define which users are admin-approved, use permission sets. Enter a list of permission set IDs for the commaSeparatedPermissionSet field.
              Your app can now use the Authorization Code and Credentials Flow for headless login, passwordless login, and registration.
            3. To use your app for the guest user flow variation, configure these additional configurable OAuth policies.
              1. To enable the guest user variation, set isGuestCodeCredFlowEnabled to true.
              2. To define how long the guest access token is valid after it’s issued, use one of these options.
                Guest User token Timeout Option Configuration
                Use the Experience Cloud guest user timeout—With this option, Salesforce uses the timeout defined in the guest user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout. Set the guestJwtSessionTimeoutType field to UserSession.
                Set a timeout value that applies only to this app.
                • Set the guestJwtSessionTimeoutType field to Custom.
                • For the guestJwtTimeout field, set a timeout value in minutes. For a list of valid values, see ExtlClntAppOauthConfigurablePolicies in the Metadata API Developer Guide.
              3. Deploy the changes.
             
            Loading
            Salesforce Help | Article