Step 2: Create the Embedded Login External Client App

From your Salesforce community, create an Embedded Login external client app to connect your community with your website. The external client app handles communication between your web page and the Salesforce back end.

Warning In Summer ’24, Salesforce made Embedded Login disabled by default. We recommend that you use the web server flow, the user-agent flow, or another redirect-based OAuth 2.0 flow instead of Embedded Login.

Embedded Login relies on third-party cookies, which are blocked or restricted in most browsers. And Embedded Login works only on Google Chrome and only as long as third-party cookies are allowed there by default.

The external client app controls how the initial authentication and authorization process is handled. Then it continues to handle the interaction between the website and community during the user’s active session. When creating the external client app, you supply the callback URL, which is used to retrieve the access token during the initial authorization process.

The Salesforce external client app and callback URL are interconnected, so you have a “chicken or egg” issue. The Embedded Login external client app needs the website’s callback URL. The website needs the Embedded Login external client app URL. For now, specify a placeholder. You can come back later to replace it with the correct URL.

Create an external client app for Embedded Login. It takes only a few minutes.

1. Configure basic external client app settings.
2. Select Enable OAuth.
3. For the callback URL, enter https://your_website/your_webpage/_callback.php, where _callback.php is the name of your future callback URL.
4. For the OAuth scope, select Allow access to your unique identifier (openID). You can add other options if your web page requires more access to Salesforce, but it isn’t necessary.
   For more information about external client app OAuth settings, see Enable OAuth Settings for API Integration in Salesforce Help.
5. Click Save.
   It can take a few minutes for the changes to take effect.
6. Click Continue.
   The new external client app opens.
7. To view the consumer key in the OAuth Settings section, click Consumer Key and Secret, and then verify your identity.
8. Copy the consumer key. It’s the value for the meta tag salesforce_client_id.
9. Click Manage, and then click Edit Policies.
10. Under OAuth Policies, select Admin approved users are pre-authorized in the Permitted Users dropdown menu.
    This policy controls how the Embedded Login external client app handles authorization. The All users may self-authorize option prompts website visitors to approve access. If you select this option, set the salesforce-mask-redirects metatag to false. For more information, see Embedded Login Considerations.
11. Click Yes.
12. Click Save.
13. Under Profiles, click Manage Profiles and select the profiles that can access this external client app. Choose the profile you created when you set up your community.
14. Optionally, you can get more user information by adding custom attributes to the external client app.
15. Click Save.