Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Secure Token Exchange Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Secure Token Exchange Flow Control

            This control determines whether a client application must provide a secret when exchanging a third-party token for a Salesforce access token.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Secure Token Exchange Flow

            Recommended Configuration

            Enable Token Exchange Flow. Set to Do not Require secret for Token Exchange Flow.

            Control Overview

            This control determines whether a client application must provide a secret when exchanging a third-party token (like an ID token from an external identity provider) for a Salesforce access token, specifically allowing public clients to bypass this requirement when they cannot securely store credentials.

            Security Risk If Not Configured

            If a secret is incorrectly required for public clients, developers are forced to hard code sensitive credentials into front-end code where they can be harvested. Conversely, failing to require it for private clients allows unauthorized servers to perform exchanges without proving their identity.

            Threat Scenarios

            An attacker extracts a hard-coded client secret from a public mobile app's binary or intercepts an external identity token and successfully "trades" it for a Salesforce session because the endpoint did not require a backend secret to validate the request.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Misconfiguring this setting leads to either the systemic exposure of client credentials or the enablement of "token-jumping," where compromised external identities are easily converted into persistent Salesforce access.

            Higher Risk When

            The Token Exchange Handler is configured with broad "Auto-Provisioning" logic that creates new users with extensive permissions based solely on the incoming untrusted token.

            Low Risk When

            Public clients use PKCE (Proof Key for Code Exchange) as a secondary validation layer and when Token Exchange Handlers strictly validate the "Issuer" and "Audience" claims of the incoming token.

            Business and Integration Considerations

            Implementing this requires a clear inventory of which "Subject" and "Actor" tokens are being exchanged to make sure that the security policy aligns with the technical limitations of the calling environment (browser vs. server).

            Recommended Remediation

            Deselect "Require Secret for Token Exchange Flow" to prevent secret leakage.

            Security Health Review Guidance

            Security Health Review identifies this as a critical "Identity Bridging" control, emphasizing that the security of a token exchange is only as strong as the verification of the client requesting the trade.

            See Also

             
            Loading
            Salesforce Help | Article