Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Configure ID Token Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Configure ID Token Control

            This security setting defines the cryptographic lifespan and data structure of the OpenID Connect ID token.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Configure ID token

            Recommended Configuration

            Configure ID token - Token duration in minutes (2mins) | ID Token Audiences | Include Standard Claims | Include Custom Permissions | Custom Attributes.

            Control Overview

            This security setting defines the cryptographic lifespan and data structure of the OpenID Connect ID token by specifying the expiration interval, target audience identifiers, and the inclusion of specific user-level metadata.

            Security Risk If Not Configured

            Weak ID token duration and improperly managed attributes for application sessions lead to a prolonged identity theft risk where stale tokens containing sensitive user identifiers remain valid for unauthorized reuse.

            Threat Scenarios

            An attacker intercepts a long-lived ID token and extracts persistent user metadata or uses the active session to impersonate the victim across multiple downstream integrated systems that share the same audience claim.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to implement short token lifecycles and restricted attribute sets facilitates the unauthorized harvesting of personal identifiers and increases the likelihood of successful replay attacks against the organizational identity layer.

            Higher Risk When

            When the ID token includes broad custom attributes containing sensitive business logic or when the audience claim is set to a global value that permits token acceptance by unintended external service providers.

            Low Risk When

            If the organization enforces a minimal two-minute expiration window and uses unique audience identifiers to make sure that tokens are cryptographically bound to a single, verified client.

            Business and Integration Considerations

            Implementing restrictive ID token policies ensures compliance with data privacy regulations by minimizing the transmission of unnecessary user data, though it requires the consuming application to support frequent token refresh cycles.

            Recommended Remediation

            Go to the OAuth Policies for the Connected App, set the ID Token Validity to two minutes, define the ID Token Audiences, and select only the necessary standard and custom claims.

            Security Health Review Guidance

            Security Health Review identifies the use of short-lived, claim-restricted ID tokens as a strongly recommended standard to minimize the window of opportunity for credential misuse and to prevent the exposure of persistent user metadata.

            See Also

             
            Loading
            Salesforce Help | Article