Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure OAuth Policies: Custom Attribute Security Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Configure OAuth Policies: Custom Attribute Security Control

            This security setting lets Salesforce admins define and restrict the specific user-level metadata and company claims that are injected into the cryptographically signed OAuth ID token.

            Control Name

            External Client Apps: Configure OAuth Policies: Custom Attribute Security

            Recommended Configuration

            Configure a Custom Attribute for External Client Apps.

            Control Overview

            This security setting lets Salesforce admins define and restrict the specific user-level metadata and company claims that are injected into the cryptographically signed OAuth ID token.

            Security Risk If Not Configured

            Without explicitly defined custom attributes and associated security policies, third-party integrations can perform unauthorized harvesting of organizational metadata by extracting sensitive information from default or overly permissive token payloads.

            Threat Scenarios

            A malicious or poorly governed third-party application programmatically scrapes internal company structures, department hierarchies, or custom user fields included in the ID token to build a detailed map of the internal corporate environment.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            The unauthorized collection of metadata facilitates targeted social engineering attacks and shadow profiling of the workforce, potentially exposing internal business logic and administrative relationships to external entities.

            Higher Risk When

            The integration is granted broad data access permissions or when the ID token includes high-entropy identifiers that can be correlated across multiple external data sets.

            Low Risk When

            If the company enforces a strict allowlist for ID token claims and uses a hardened token exchange handler to sanitize all outbound identity assertions.

            Business and Integration Considerations

            Implementing restricted custom attributes makes sure that external partners only receive the minimum data required for functional authorization while maintaining compliance with corporate data residency and privacy standards.

            Recommended Remediation

            Go to the OAuth Policies of the External Client App to define a limited set of custom attributes and make sure that only necessary organizational metadata is exposed in the ID token.

            Security Health Review Guidance

            Security Health Review identifies the granular control of identity claims as a strongly recommended defense against metadata harvesting, so that third-party integrations operate under a strict need-to-know model for all company data.

            See Also

             
            Loading
            Salesforce Help | Article