Integrate an App for the Token Exchange Flow
To integrate an app with Salesforce for the OAuth 2.0 token exchange flow, create a Salesforce connected app or an external client app.
Required Editions
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
- Option 1: Create a Connected App
To enable a connected app for the token exchange flow, take these steps. - Option 2: Create an External Client App
To enable an external client app for the token exchange flow, take these steps.
Option 1: Create a Connected App
To enable a connected app for the token exchange flow, take these steps.
Required Editions
| User Permissions Needed | |
|---|---|
| To read, create, update, or delete connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND Modify All Data AND Manage Profiles and Permission Sets |
| To rotate the consumer key and consumer secret: | Allow consumer key and secret rotation |
| To install and uninstall connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To install and uninstall packaged connected apps: | Download AppExchange Packages AND Customize Application AND either Modify All Data OR Manage Connected Apps |
- Create a connected app and complete its basic information.
- Enable the connected app’s OAuth settings for API
integration. In addition to enabling OAuth and entering a callback URL, use these
settings.
- To define the app’s permissions, select scopes. When you configure the flow, the token
request can optionally include a
scopesparameter. The scopes in this parameter must match or be a subset of the scopes assigned to the connected app. - Select Enable Token Exchange Flow.
- Optionally, select Require Secret for Token Exchange Flow. We recommend that you enable this setting only for private clients with a secure client back end. For public clients that can’t keep the consumer secret confidential, such as single-page apps and mobile apps, don’t enable this setting.
- Optionally, to issue JSON Web Token (JWT)-based access tokens instead of opaque access tokens, see Enable JSON Web Token (JWT)-Based Access Tokens.
- To define the app’s permissions, select scopes. When you configure the flow, the token
request can optionally include a
- Set the OAuth policies for the connected app. Make sure
you use these settings.
- For the Permitted Users policy, select Admin approved users are pre-authorized. To control which users are admin approved, manage which profiles are assigned to the app.
- Select Enable Token Exchange Flow.
- Save your changes.
Next, create a token exchange handler Apex class.
Option 2: Create an External Client App
To enable an external client app for the token exchange flow, take these steps.
Before you start, set up permissions for external client apps.
- Create a local external client app and configure its basic settings.
- Deploy the external client app.
- Configure the external client app global OAuth
settings. Make sure you set these fields.
Field Description isTokenExchangeEnabled Boolean field indicating whether the token exchange flow is enabled. Set this field to true.isSecretRequiredForTokenExchange Boolean field indicating whether the app is required to send its consumer secret in the token request. We recommend that you set this field to trueonly if your app has a private client back end that can keep the secret confidential. For public clients such as mobile apps and single-page apps, set this field tofalse.Here’s an example global OAuth settings file.<?xml version="1.0" encoding="UTF-8"?> <ExtlClntAppGlobalOauthSettings xmlns="http://soap.sforce.com/2006/04/metadata"> <callbackUrl>https://www.example.com</callbackUrl> <externalClientApplication>myeca</externalClientApplication> <idTokenConfig> <idTokenAudience>SalesforceAudience</idTokenAudience> <idTokenIncludeStandardClaims>true</idTokenIncludeStandardClaims> <idTokenValidityInMinutes>0</idTokenValidityInMinutes> </idTokenConfig> <isConsumerSecretOptional>false</isConsumerSecretOptional> <isIntrospectAllTokens>false</isIntrospectAllTokens> <isPkceRequired>false</isPkceRequired> <isSecretRequiredForRefreshToken>false</isSecretRequiredForRefreshToken> <label>myecaglobalset</label> <shouldRotateConsumerKey>false</shouldRotateConsumerKey> <shouldRotateConsumerSecret>false</shouldRotateConsumerSecret> <isTokenExchangeEnabled>true</isTokenExchangeEnabled> <isSecretRequiredForTokenExchange>true</isSecretRequiredForTokenExchange> </ExtlClntAppGlobalOauthSettings> - Configure the external client app OAuth settings,
which affect the local instance. In addition to the required fields, optionally use the
commaSeparatedOauthScopes field to specify scopes. If you send a
scopesparameter in your token request, the scopes must match or be a subset of the scopes assigned to your external client app. - Configure the external client app OAuth policies.
If you create your own policies file, make sure that the
permittedUsersPolicyTypefield is set toAdminApprovedPreAuthorized. - Deploy the external client app OAuth plugin.
Next, create a token exchange handler Apex class.
Did this article solve your issue?
Let us know so we can improve!
