Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Require Secret for Refresh Token Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Require Secret for Refresh Token Flow Control

            This control mandates that a confidential client application must provide its Client Secret when exchanging a refresh token for a new access token to verify the client's identity.

            Control Name

            Connected App: API (Enable OAuth Settings): Require Secret for Refresh Token Flow

            Recommended Configuration

            Require Secret for Refresh Token Flow.

            Control Overview

            This control mandates that a confidential client application must provide its Client Secret when exchanging a refresh token for a new access token to verify the client's identity.

            Security Risk If Not Configured

            An attacker who steals a refresh token can obtain new access tokens indefinitely without needing the application's private credentials, effectively bypassing a critical authentication factor.

            Threat Scenarios

            An attacker extracts a refresh token from a compromised mobile device or log file and uses it from a separate, unauthorized server to maintain persistent, "headless" access to the user's Salesforce data.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            The failure to require a secret enables long-term, undetected persistence within the environment, significantly extending the duration of a data breach beyond the life of the initial session.

            Higher Risk When

            Refresh tokens have no expiration date or when the connected app is associated with high-privilege integration users that can access sensitive PII or system metadata.

            Low Risk When

            If Refresh Token Rotation is enabled, as this makes sure that any stolen refresh token is rendered useless immediately after its first unauthorized use.

            Business and Integration Considerations

            Enforcing this requirement may break legacy integrations or mobile apps that were not designed to store or transmit a client secret during the background refresh process.

            Recommended Remediation

            Go to the OAuth Settings of the Connected App and select the checkbox for "Require Secret for Refresh Token Flow."

            Security Health Review Guidance

            Security Health Review identifies this control as a vital defense against session persistence, so that a stolen token alone is insufficient to maintain a permanent backdoor into the org.

            See Also

             
            Loading
            Salesforce Help | Article