Loading
Ongoing maintenance for Salesforce HelpRead More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure the External Client App Global OAuth Settings

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure the External Client App Global OAuth Settings

            Configure a global settings file, which affects every instance where the external client app is deployed.

            1. Create a file called [ECAPP_OAUTH_CONSUMER].ecaGlblOauth-meta.xml, for example, myecaconsumer.ecaGlblOauth-meta.xml, in a directory called extlClntAppGlobalOauthSets. This file is the global OAuth settings file, which includes sensitive OAuth consumer information.
            2. Configure the file with this information.
              FieldDescription
              callbackUrl This field is optional. Type: String. The endpoint that Salesforce calls back to your external client app during OAuth. It’s the OAuth redirect_uri.
              consumerKey This field is optional. Type: String. A value used by the consumer for identification to Salesforce. Referred to as client_id in OAuth 2.0.
              consumerSecret This field is optional. Type: String. A value that is combined with the consumerKey and used by the consumer for identification to Salesforce. Referred to as client_secret in OAuth 2.0.
              externalClientApplication This field is required. Type: String. Name of the external client application.
              idTokenAudience This field is optional. Type: String. The audiences that this ID token is intended for.
              idTokenIncludeStandardClaims This field is optional. Type: Boolean. Indicates whether standard claims about the authentication event are included in the ID token.
              idTokenValidityInMinutes This field is optional. Type: Integer. The length of time that the ID token is valid for after it’s issued. The value can be 1–720 minutes.
              isConsumerSecretOptional This field is optional. Type: Boolean. If set to false (default), the external app’s client secret is required in exchange for an access token in the OAuth 2.0 web server flow.
              isIntrospectAllTokens This field is optional. Type: Boolean. If set to true, authorizes the external app to introspect all access and refresh all tokens. If set to false (default), the external client app can introspect its own tokens.
              isPkceRequired This field is required. Type: Boolean. If set to true (default) Proof Key for Code for Exchange (PKCE) is required for OAuth integration.
              isSecretRequiredForRefreshToken This field is optional. Type: Boolean. If set to true (default), the app’s client secret is required in the authorization request of a refresh token and hybrid refresh token flow. If set to false and an app sends the client secret in the authorization request, Salesforce still validates it.
              label This field is required. Type: String. External Client Application Global OAuth Settings Name.
              shouldRotateConsumerKey This field is optional. Type: Boolean. If set to true then the external client app's OAuth consumer key is replaced with a newly generated key on metadata deploy. Default is false. Rotating consumer credentials causes app failure if the external client app is not set up for rotation. To maintain security, you must include the ignore warnings attribute --ignorewarnings in the deploy command if this field is set to true.
              shouldRotateConsumerSecret This field is optional. Type: Boolean. If set to true then the OAuth external client app's consumer secret is replaced with a newly generated secret on metadata deploy. Default is false. Rotating consumer credentials causes app failure if the external client app is not set up for rotation. To maintain security, you must include the ignore warnings attribute --ignorewarnings in the deploy command if this field is set to true.
              The global settings file looks like this example.
              <?xml version="1.0" encoding="UTF-8"?>
<ExtlClntAppGlobalOauthSettings xmlns="http://soap.sforce.com/2006/04/metadata">
    <callbackUrl>https://www.example.com</callbackUrl>
    <externalClientApplication>myeca</externalClientApplication>
    <idTokenConfig>
        <idTokenAudience>SalesforceAudience</idTokenAudience>
        <idTokenIncludeStandardClaims>true</idTokenIncludeStandardClaims>
        <idTokenValidityInMinutes>0</idTokenValidityInMinutes>
    </idTokenConfig>
    <isConsumerSecretOptional>false</isConsumerSecretOptional>
    <isIntrospectAllTokens>false</isIntrospectAllTokens>
    <isPkceRequired>true</isPkceRequired>
    <isSecretRequiredForRefreshToken>false</isSecretRequiredForRefreshToken>
    <label>myecaglobalset</label>
    <shouldRotateConsumerKey>false</shouldRotateConsumerKey>
    <shouldRotateConsumerSecret>false</shouldRotateConsumerSecret>
</ExtlClntAppGlobalOauthSettings>
             
            Loading
            Salesforce Help | Article