Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth 2.0 for First-Party Applications: Configure an External Client App for Headless Identity Flows

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OAuth 2.0 for First-Party Applications: Configure an External Client App for Headless Identity Flows

            To develop headless identity flows that use the OAuth 2.0 for First-Party Applications draft standard, configure an external client app. For these flows, you must configure your external client app via Metadata API. Use these steps to configure an app for headless username-password login, passwordless login, and registration.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions
            User Permissions Needed
            To configure both settings and policies as an external client app developer: Create, edit, and delete External Client Apps
            To manage external client app policies as an external client app admin: View all External Client Apps, view their settings, and edit their policies

            The OAuth plugin must also be enabled for your external client app. For more information, see these resources.

            1. (Developers only) Configure these settings in the external client app’s global OAuth settings file.
              1. Set the isConsumerSecretOptional field to false. These flows are supported only for private clients, which can keep the consumer secret secure in a private client backend.
              2. Set isPkceRequired to true. If you don't use PKCE, the security features of this flow don't work properly.
              3. Deploy the changes.
            2. (Developers only) Configure these settings in the external client app's OAuth settings file.
              1. Set the isFirstPartyAppsEnabled setting to true.
              2. For clientAssertionCertificate, register the certificate that you're using to sign the client attestation JWT.
            3. Modify the app’s configurable OAuth policies.
              1. Set the value for permittedUsersPolicyType to AdminApprovedPreAuthorized.
                Note
                Note Saving this change causes all users currently using the app to lose access.
              2. To define which users are admin-approved, use permission sets. Enter a list of permission set IDs for the commaSeparatedPermissionSet field.
              Your app can now use the OAuth 2.0 for First-Party Applications flows for headless username-password login, passwordless login, and registration.
             
            Loading
            Salesforce Help | Article