Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Manage OAuth Access Policies for a Connected App: IP Relaxation Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Manage OAuth Access Policies for a Connected App: IP Relaxation Control

            This control determines whether OAuth access tokens issued to a Connected App are restricted to trusted IP ranges.

            Control Name

            Manage OAuth Access Policies for Connected Apps – IP Relaxation

            Recommended Configuration

            Select “Enforce IP Restrictions”.

            Control Overview

            This control determines whether OAuth access tokens issued to a Connected App are restricted to trusted IP ranges. Enforcing IP restrictions adds a network-based security layer that limits token usage to approved locations.

            Security Risk If Not Configured

            If IP restrictions are not enforced, OAuth tokens may be used from any network location. A compromised token could be replayed from untrusted networks, increasing the risk of unauthorized API access and data exposure.

            Threat Scenarios

            Token replay from external networks, abuse of long-lived OAuth tokens, unauthorized access through compromised integrations.

            Estimated CVSS Score Range

            Medium to High (6.0–8.5).

            Risk Impact Considerations

            Risk severity depends on Connected App permissions, token lifetime, integration exposure, and whether the integration is internet-facing or internally restricted.

            Higher Risk When

            Connected Apps have broad or privileged permissions, tokens are long-lived, integrations operate over the public internet without additional safeguards.

            Low Risk When

            This control can be considered low risk when one or more compensating controls are implemented, including:

            • Digital Certificate Enforcement: Connected App requires a client certificate, preventing use of a stolen token without access to the private key.
            • Short-Lived and Rotating Tokens: Refresh tokens are short-lived and rotated frequently, limiting the window of opportunity for misuse.
            • High Assurance Connected App Policies: Multi-factor authentication (MFA) is required before issuing OAuth tokens to users.
            • Private Connectivity: Traffic is routed through Private Connect or private link, avoiding exposure over the public internet.

            Business and Integration Considerations

            Customers should validate integration IP ranges and coordinate with third-party vendors to avoid service disruption when enforcing IP restrictions.

            Recommended Remediation

            Enforce IP restrictions where feasible, apply least-privilege permissions to Connected Apps, implement compensating controls when IP enforcement is not possible, and monitor Connected App activity through logging and security monitoring.

            Security Health Review Guidance

            Security Health Review highlights this control to help customers assess OAuth access risks in context, accounting for both configuration gaps and existing compensating controls, and to guide prioritized remediation aligned with Salesforce security best practices.

            See Also

             
            Loading
            Salesforce Help | Article