Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Authorize Apps with OAuth

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Authorize Apps with OAuth

            OAuth is an open protocol that authorizes a client application to access data from a protected resource through the exchange of tokens. OAuth tokens are essentially permissions given to a client application.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions

            The resource server can validate the tokens and allow the client application access to the defined protected resources. In Salesforce, you can use OAuth authorization to approve a client application’s access to your org’s protected resources.

            Important
            Important You can’t use OAuth independently to authenticate a user’s identity. Instead, use OpenID Connect as an authentication service in addition to OAuth authorization.
            • OAuth Authorization Flows
              OAuth authorization flows grant a client application restricted access to protected resources on a resource server. Each OAuth flow offers a different process for approving access to a client app, but in general the flows consist of three main steps. To initiate an authorization flow, a client app requests access to a protected resource. In response, an authorizing server grants access tokens to the client app. A resource server then validates these access tokens and approves access to the protected resource.
            • Generate a Frontdoor URL to Bridge into UI Sessions
              To give users uninterrupted access to Salesforce and other apps, use an existing session to automatically log users into a new UI without making them enter their credentials again. For example, redirect users from a custom app to a specific record in Salesforce. To bridge from one session to another, use Single Access UI Bridge API (UI Bridge API for short). With this API, exchange an access token for a frontdoor URL that you use to load a new session. You can also specify a redirect URI where users are sent when their new session begins.
            • Proof Key for Code Exchange (PKCE) Extension
              To improve the security of your OAuth and authentication provider implementations, use the OAuth 2.0 Proof Key for Code Exchange (PKCE) extension. You can require PKCE at an org-wide level, require it for a specific connected app, and automatically enable it for supported authentication providers.
            • OAuth Tokens and Scopes
              OAuth tokens authorize access to protected resources. Connected apps receive tokens on behalf of a client after authorization. Scopes further define the type of protected resources that the connected app can access. You assign scopes to a connected app when you build it, and they’re included with the OAuth tokens during the authorization flow.
            • Access Tokens
              Access tokens are your key to Salesforce APIs. When a client successfully completes an authorization flow, whether it’s a standard OAuth 2.0 flow or a headless identity flow, Salesforce issues an access token that can be used to access protected Salesforce data. Salesforce supports two types of access tokens: opaque tokens and JSON Web Token (JWT)-based access tokens. Each type has its own merits and limitations based on your use case.
            • Revoke Data Cloud Access Tokens
              Revoke a Data Cloud access token to remove client access to Salesforce Data Cloud data.
            • OAuth Custom Scopes
              An external client app can use the OAuth authorization protocol to access protected resources. As part of the protocol, OAuth default scopes fine-tune the app’s permissions to access protected resources in Salesforce. However, these default scopes are insufficient when an external entity hosts the protected resource. In this scenario, Salesforce plays the role of OAuth authentication and authorization provider, but it has little knowledge about the resource it’s protecting. To define an external client app’s permissions to access protected resources hosted by an external entity, create an OAuth custom scope. The custom scope tells the external entity which information the external client app is authorized to access.
            • Identity URLs
              The identity URL is the gateway to the Salesforce Identity Service that can be accessed using the OAuth 2.0 user-agent or web server flows. In these flows, when a connected app with the id scope is successfully authorized, it receives an identity URL along with the access token. The connected app can then send a GET request with the access token to the identity URL. In response, Salesforce returns details about the queried user and org.
            • OAuth Endpoints
              OAuth endpoints are the URLs that you use to make OAuth authorization requests to Salesforce. Each OAuth flow defines which endpoints to use and what request data to provide.
            • OAuth 2.0 Echo Endpoint
              Use the OAuth 2.0 echo endpoint to simplify development when you configure the Authorization Code and Credentials Flow for public clients, such as single-page apps. You can also use this endpoint for variations of the Authorization Code and Credentials Flow, including headless registration, passwordless login, and guest user flows.
            • Enable CORS for OAuth Endpoints
              Web applications use Cross-Origin Resource Sharing (CORS) to request resources from origins other than their own. For example, a web page can use CORS to request information about a user from your My Domain login URL or Experience Cloud site URL. In addition to public and allowlisted web pages, Salesforce supports CORS for certain OAuth endpoints when requested from a My Domain login URL or Experience Cloud site URL.
            • Query for User Information
              A connected app can query the UserInfo endpoint for information about the user associated with the connected app’s access token. Salesforce returns basic personal information about the user and important endpoints that the connected app can talk to, such as photos and accessible API endpoints. This UserInfo endpoint provides access to information only for the current user. It doesn’t give access to other users in the org.
            • Query for the OpenID Connect Configuration
              Use the OpenID Connect discovery endpoint to query for information about the Salesforce OpenID Connect configuration. Salesforce returns basic information about endpoints, supported scopes, and other values used for OpenID Connect authorization.
            • Query SAML Authentication Settings
              You can query the authentication configuration endpoint for information about an org's or Experience Cloud site's SAML single sign-on (SSO) and authentication provider settings. Use this functionality when you’re developing apps that need this information on demand.

            See Also

             
            Loading
            Salesforce Help | Article