Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable Apps for a Token Exchange Handler

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Enable Apps for a Token Exchange Handler

            To enable a connected app or external client app for a token exchange handler, use the Token Exchange Handlers page in Setup, or edit its metadata definition.

            Required Editions

            Available in: Enterprise, Performance, Unlimited, and Developer Editions

            Before you start, make sure you have a connected app or external client app that's configured for the token exchange flow. See Integrate an App for the Token Exchange Flow.

            You can enable a token exchange handler for multiple connected apps or external client apps. A single connected app or external client app can be associated with multiple handlers.

            Option 1: Enable Apps in Setup

            To use an external client app or connected app with the token exchange handler, enable apps from the Token Exchange Handler page in Setup.

            Before you start, make sure you have a connected app or external client app that's configured for the token exchange flow. See Integrate an App for the Token Exchange Flow.

            1. If you're not on the Token Exchange Handlers page in Setup, navigate there. From Setup, in the Quick Find box, enter Token, and then select Token Exchange Handlers.
            2. Find the handler you want to edit, click Dropdown arrow for token exchange handler, and then select View Details.
            3. Under Enabled Apps, click Enable New App.
            4. Select the type of app you want to enable and click Next.
            5. For Select App, search for and select the connected app or external client app that you want to use.
              Note
              Note The app search returns only apps that are properly configured for the token exchange flow. If you can't find an app, check its settings and policies.
            6. For Run as, search for and select an execution user to run the handler. We recommend that you use an integration user account that doesn't represent a real user.
              The search returns up to 200 users. To filter users, enter the first letter of the user's first or last name. Or, to quickly find all users whose names contain a given string, enter the * (asterisk) character followed by the string. For example, to search for all user accounts with the string integration, enter *ion.
            7. To set this handler as the default handler for this app, select Make <your handler name> the default handler for this app. An app can have only one default handler.
              When a handler is set as the default for an app, Salesforce automatically uses it during the token exchange flow unless you specify a different handler. For more information, see Configure the Token Exchange Flow.
            8. Click Done.
              Your newly enabled app is displayed under Enabled Apps on the handler's detail page. To find apps more easily, filter your view by app type, or sort apps by Name, Run As User, or Enabled Date.
              Warning
              Warning Sorting is supported only for handlers with up to 100 enabled apps. If you have more than 100 apps, it doesn't work.

            To edit an enabled app, next to the app, click Dropdown arrow for token exchange handler, select Edit, and change its settings as desired.

            To remove an app from the handler, next to the app, click Dropdown arrow for token exchange handler, and then select Remove. Confirm that you want to remove the app. You can re-enable the app for the handler anytime.

            After you finish enabling your app, configure the token exchange flow.

            Option 2: Enable Apps via Metadata API

            Use Metadata API to enable connected apps external client apps for a token exchange handler.

            Make sure that you have the right permissions to work with Metadata API. See Metadata API Edit Access in the Metadata API Developer Guide.

            To work with Metadata API, use the Salesforce Extensions for Visual Studio Code on Salesforce CLI, or use a developer tool of your choice. For more information, see Metadata API Developer Tools in the Metadata API Developer Guide.

            Metadata API supports file-based and CRUD-based development. These steps cover how to define the handler with file-based development.

            1. In the your_handler_name.oauthtokenexchangehandler file, set the isEnabled field to true.
            2. Add a field called enablements. This field references the OauthTokenExchHandlerApp metadata type.
            3. In the enablements field, add these fields.
              1. To specify the execution user that runs the handler, add an apexExecutionUser user field and enter the name of the user. We recommend that you use an integration user account that doesn’t represent a real user.
              2. If you’re using a connected app, add a connectedApp field and specify the connected app’s API name.
              3. If you’re using an external client app, add an externalClientApp field and specify the external client app’s API name.
              4. To define whether the handler is your default handler for, set the isDefault boolean field. During the token exchange flow, when you send a token request, you can optionally specify the name of the handler you want to use. If you don’t specify a name, Salesforce uses the default handler. If you have multiple handlers, specify only one default.
            4. Optionally, to add more apps to the handler, add an enablements field for the app.
              Here’s an example of the full token exchange handler metadata definition. This handler is enabled for two connected apps
              <?xml version="1.0" encoding="UTF-8"?>
<OauthTokenExchangeHandler xmlns="http://soap.sforce.com/2006/04/metadata">
    <developerName>MyTokenExchangeHandler</developerName>
    <description>My token exchange handler</description>
    <isAccessTokenSupported>true</isAccessTokenSupported>
    <isEnabled>true</isEnabled>
    <isIdTokenSupported>false</isIdTokenSupported>
    <isJwtSupported>true</isJwtSupported>
    <isProtected>false</isProtected>
    <isRefreshTokenSupported>false</isRefreshTokenSupported>
    <isSaml2Supported>false</isSaml2Supported>
    <isUserCreationAllowed>true</isUserCreationAllowed>
    <masterLabel>MyTokenExchangeHandler</masterLabel>
    <tokenHandlerApex>MyOauthTokenExchangeHandler</tokenHandlerApex>
    <enablements>
        <apexExecutionUser>integrationuser@mycompany.com</apexExecutionUser>
        <connectedApp>TokenExchangeApp1</conectedApp>
        <isDefault>true</isDefault>
    </enablements>
    <enablements>
        <apexExecutionUser>integrationuser@mycompany.com</apexExecutionUser>
        <connectedApp>TokenExchangeApp2</conectedApp>
        <isDefault>true</isDefault>
    </enablements>
</OauthTokenExchangeHandler>
            5. Using your metadata development tool, use the deploy() call to deploy the changes to your org.
            6. To view the handler, from Setup, in the Quick Find box, enter Token Exchange Handlers, and then select Token Exchange Handlers.
              You can see each handler’s name, API name, supported token types, and status. You can also see when it was last modified and by whom.

            After you finish enabling your app, configure the token exchange flow.

             
            Loading
            Salesforce Help | Article