You are here:
External Client Apps
External client apps are packageable frameworks to enable a third-party application to integrate with Salesforce using APIs and security protocols. External client apps provide single sign-on (SSO) and use SAML and OAuth protocols to authorize third-party applications. Third-party applications that are integrated with Salesforce can run on the customer success platform as well as other platforms, devices, or SaaS subscriptions.
Both connected apps and external client apps involve two different types of active users. The first are those users who develop apps, whether for use in their own Salesforce org or to be packaged for distribution. The other users are admins who work with Salesforce orgs that subscribe to these distributed apps or maintain the apps developed on their own org. Unlike developers, admins set the policies for how those apps are used in a specific org. While these two roles can fall to the same person working on a local app, the importance of separating these user roles becomes apparent when the app is packaged and distributed to different Salesforce orgs.
Users with developer permissions control common app configurations in the Settings tab. These settings get packaged and distributed to subscribers. Subscriber org admins manage app policies. These unique policies are never packaged, and only affect the admin’s local org. Subscriber org admins can’t edit app settings.
OAuth Consumer Security
OAuth settings contain sensitive information like OAuth secrets that must not be packaged or distributed. To avoid the security risk of distributing OAuth secrets, external client apps divide the OAuth settings into a global OAuth settings file and a local OAuth settings file. The global file includes OAuth consumer details, and the local file controls the rest of the necessary settings. The local settings file contains no sensitive information, but it references the global settings file that does contain protected information.
Distribution State
External client apps can be local or configured for packaging. Local apps are developed and used in a single Salesforce org. Packageable apps are packaged with second-generation (2GP) managed packaging and distributed to subscriber orgs. This difference is determined by a distribution state setting.
The sensitive information in a global OAuth settings file means that the file can never be packaged. This restriction isn’t a problem for a local external client app. If the app’s distribution state is local, it can’t be packaged, and both OAuth settings files always exist in the same org. Things are a little more complicated if the app is packaged and distributed. There are two ways that a distributed app can use OAuth for authorization. Either the distributed app must refer to the originating app’s global OAuth settings file, or a new global OAuth settings file must be generated on the subscriber org.
- Create an External Client App
Create an external client app in App Manager. Local external client apps are available only on the org where you create them. Packageable external client apps can be packaged for distribution to other orgs. - Package an External Client App
Determine whether to package your app or keep it local. External client apps are an excellent solution when created and used locally. However, they were designed with 2GP managed packaging in mind. Unlike connected apps, which are available by default, only packaged apps can be deployed to other orgs. Packaged apps with an OAuth plugin can be deployed with their own unique OAuth settings or they can reference the settings of the org where the app was developed. - Manage External Client Apps
After creating an external client app and configuring its distribution state, define its specific characteristics. - External Client Apps Creation with Metadata API
Developers can create external client apps in Salesforce Setup or programmatically using Metadata API. After downloading an external client app, admins can configure Policies specific to the needs of their org.
