Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure OAuth Policies: Configure Client Credential Flow Policies Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Configure OAuth Policies: Configure Client Credential Flow Policies Control

            This security posture discourages the use of the Client Credentials flow in favor of more secure, user-context-based authentication methods.

            Control Name

            External Client Apps: Configure OAuth Policies: Configure Client Credential Flow Policies

            Recommended Configuration

            Configure Client Credential Flow Policies.

            Control Overview

            This security posture discourages the use of the Client Credentials flow in favor of more secure, user-context-based authentication methods to make sure that all data access is tied to a specific identifiable individual. The Client Credentials flow manages the ability of External Client Apps to authenticate and obtain access tokens using a Client ID and secret without human intervention.

            Security Risk If Not Configured

            Using this flow creates a high risk of data abuse because it bypasses user-level authorization, allowing backend service accounts to operate with persistent, autonomous access to the entire organizational dataset.

            Threat Scenarios

            A compromised external server uses its stored client credentials to programmatically exfiltrate massive volumes of records or modify critical system configurations without any interactive login or multi-factor authentication challenge.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            The use of over-privileged service identities results in a lack of individual accountability and can lead to a full-scale data breach if the static credentials associated with the external client app are intercepted or leaked.

            Higher Risk When

            The client credential flow is mapped to an execution user with broad administrative permissions or when the integration lacks IP address restrictions and request rate limiting.

            Low Risk When

            If the company replaces the client credentials flow with a JWT bearer flow using a unique digital certificate or restricts the service account to a highly narrowed permission set and specific network ranges.

            Business and Integration Considerations

            While this flow is easier to implement for automated server-to-server processes, it requires a rigorous internal governance process to manage the lifecycle of the service account and its associated permissions.

            Recommended Remediation

            Evaluate the integration architecture to transition from the client credentials flow to a more secure method like the JWT Bearer flow and make sure that any remaining service accounts are assigned to a dedicated execution user with the absolute minimum-required access.

            Security Health Review Guidance

            Security Health Review identifies these policies as strongly recommended depending on the integration use case, as avoiding or strictly hardening these automated processes helps make sure that backend systems operate with a restricted identity to prevent large-scale data abuse.

            See Also

             
            Loading
            Salesforce Help | Article