You are here:
Configure the External Client App OAuth Settings: Configure ID Token Control
This control defines the security parameters for identity tokens, including their lifespan, authorized recipients, and the specific user attributes or permissions included in the data payload.
Control Name
External Client Apps: Configure the External Client App OAuth Settings: Configure ID Token
Recommended Configuration
Configure ID token - Token duration in minutes (2mins) | ID Token Audiences | Include Standard Claims | Include Custom Permissions | Custom Attributes.
Control Overview
This control defines the security parameters for identity tokens, including their lifespan, authorized recipients, and the specific user attributes or permissions included in the data payload.
Security Risk If Not Configured
Without a restricted token duration and defined audience, an identity token remains valid for an excessive period and can be reused by unauthorized third-party applications to gain access to protected resources.
Threat Scenarios
An attacker intercepts a long-lived identity token through a network vulnerability and uses it to impersonate a legitimate user across multiple integrated systems that do not verify the intended audience of the token.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
Failing to constrain token attributes and duration allows for persistent unauthorized access and the unintended exposure of internal user permissions and custom profile data to external service providers.
Higher Risk When
Tokens are used to facilitate single sign-on for applications that handle sensitive data or when the tokens contain broad administrative custom permissions.
Low Risk When
If the external application performs its own rigorous validation of the token signature and expiration timestamp regardless of the Salesforce configuration.
Business and Integration Considerations
Setting a very short token duration, (for example, two minutes), requires the external application to have a robust and automated logic for refreshing identity data to prevent user session interruptions.
Recommended Remediation
Go to the OAuth settings of your External Client App, set the token duration to two minutes, specify the authorized audience URLs, and select the minimum necessary claims and attributes.
Security Health Review Guidance
Security Health Review identifies precise identity token configuration as a mandatory standard for so that user identity data is ephemeral, targeted to specific recipients, and limited to the least amount of information required for authentication.
