Review External Client Apps

Learn about external client apps.

• External Client App Settings: Metadata Secrets Protection Control
  This security setting prevents the sensitive plaintext consumer secrets used for OAuth authentication from being retrieved or exported through the Salesforce Metadata API.
• External Client App Settings: REST API Secret Masking Control
  This security setting blocks the ability to query or retrieve sensitive plaintext OAuth consumer secrets through programmatic REST API calls.
• Configure the External Client App OAuth Settings: OAuth Scope Least Privilege Control
  ECAs allow for highly granular OAuth scopes, which control permissions for the ECA.
• Configure the External Client App OAuth Settings: Configure ID Token Control
  This control defines the security parameters for identity tokens, including their lifespan, authorized recipients, and the specific user attributes or permissions included in the data payload.
• OAuth Flow Enablement: Disable Client Credentials Flow Control
  This security setting deactivates the OAuth 2.0 grant type that lets an application authenticate and access data using only its own credentials without any user intervention or presence.
• OAuth Flow Enablement: Enable Authorization Code and Credentials Flow Control
  This security setting activates a modern OAuth 2.0 extension that lets an application securely exchange a temporary authorization code for access tokens while maintaining a strict link to the application's unique credentials.
• OAuth Flow Enablement: Enable JWT Bearer Flow Control
  This security setting activates a certificate-based OAuth 2.0 flow that lets an application authenticate by signing a JSON Web Token (JWT) with a private key instead of using a static shared secret.
• Security: Require Secret for Web Server Flow Control
  This security setting mandates that the web server or application must provide a unique client secret to Salesforce to complete the exchange of an authorization code for an access token.
• Security: Require Secret for Refresh Token Flow Control
  This security setting mandates that an application must provide a valid client secret alongside a refresh token to obtain a new, active access token from the Salesforce authorization server.
• Security: Require Proof Key for Code Exchange (PKCE) Control
  This security setting mandates a cryptographic handshake across all compatible OAuth 2.
• Security: Enable Refresh Token Rotation Control
  This security setting invalidates and replaces each refresh token with a new, single-use token whenever a client uses it to obtain a new access token.
• Security: Issue JSON Web Token (JWT)-based Access Tokens for Named Users Control
  This security setting transitions the Salesforce authorization server from issuing opaque, reference-based access tokens to issuing self-contained, cryptographically signed JSON Web Tokens.
• Web App: SAML Policy Strengthening, Single Logout, Signature Verification, and Encrypting Response
  This suite of security policies terminates SAML-based sessions globally upon logout, that all incoming authentication requests are cryptographically verified for authenticity.
• External Client Apps: Mobile App Settings: Mobile Screen Lock Control
  The control enforces a mandatory authentication mechanism, such as a PIN, password, or biometric factor, that must be successfully validated before a user can access the mobile application or the device environment.
• Push Notification Settings and Policies for Mobile: Mobile Push Security Control
  The control establishes a secure architecture for transmitting out-of-band alerts to mobile devices by governing the content, encryption, and delivery protocols used by notification services.
• Notification Settings: External Client App’s Notification Settings Control
  The control facilitates the configuration of mobile push notifications to alert users of specific Salesforce events.
• Configure OAuth Policies: Custom Attribute Security Control
  This security setting lets Salesforce admins define and restrict the specific user-level metadata and company claims that are injected into the cryptographically signed OAuth ID token.
• Configure OAuth Policies: Configure Client Credential Flow Policies Control
  This security posture discourages the use of the Client Credentials flow in favor of more secure, user-context-based authentication methods.
• Configure OAuth Policies: OAuth 2.0 Code and Credential Flow Policies for External Client Apps Control
  This security setting defines the specific operational parameters and authorization constraints for both interactive authorization code exchanges and automated machine-to-machine client credential flows.
• Configure OAuth Policies: Stage, Rotate, and Delete OAuth Credentials for an External Client App Control
  This security process uses the Salesforce REST API to programmatically generate, rotate, and retire consumer secrets and consumer keys for External Client Apps without exposing them in the administrative user interface.
• Configure OAuth Policies: Manage External Client App OAuth Credentials with AWS Secrets Manager Control
  This security integration enables Salesforce to automatically synchronize and store External Client App OAuth consumer secrets directly within a centralized AWS Secrets Manager vault.
• Configure OAuth Policies: Manage External Client App OAuth Usage Control
  This security setting provides Salesforce admins with a centralized interface to monitor, install, and block individual External Client App instances to regulate which third-party integrations can actively access organizational data.
• Configure OAuth Policies: Manage the Start URL for External Client Apps Control
  This security setting lets Salesforce admins define and validate the specific landing page URL where users are directed after completing the OAuth authorization process for an External Client App.
• Configure OAuth Policies: Configure Custom Scopes for External Client Apps Control
  This security setting enables Salesforce admins to define specific, limited access permissions that allow external applications to interact only with designated protected resources.
• Configure OAuth Policies: Specify Profiles/Perm Sets for Access to External Client Apps Control
  These security settings restrict application access and App Launcher visibility to a specific subset of users by requiring explicit administrative pre-authorization through assigned profiles and permission sets.
• External Client Apps Creation with Metadata API: Restrict External Client App Creation Using Metadata API Control
  This security setting restricts the ability to define and deploy External Client App metadata through the Metadata API to only authorized developers and administrators.