OAuth and OpenID Connect Settings Control

Control Name

OAuth and OpenID Connect Settings

Recommended Configuration

Enforce secure OAuth settings and disable weak OAuth flows.

Control Overview

OAuth is primarily used to provide secure, delegated access to the platform's data for external applications—such as mobile apps, third-party integrations, or custom web portals—without requiring users to share their Salesforce credentials directly with those apps. Secure configuration of the OAuth settings or flow helps secure OAuth secrets are protected.

Security Risk If Not Configured

An insecure OAuth setup in Salesforce creates a backdoor vulnerability where stolen or over-privileged tokens allow attackers to bypass standard security controls like Multi-Factor Authentication (MFA) and password prompts.

Threat Scenarios

Compromised external app or Supply Chain Compromise allowing attacker targets a widely used third-party integration rather than Salesforce itself. Because these tokens are "pre-authorized" by a Salesforce admin, the attacker can replay them to gain instant, high-privilege access to sensitive CRM data without ever needing a username, password, or Multi-Factor Authentication (MFA).

Estimated CVSS Score Range

Critical (9.0–10.0) or High (7.0–8.9), depending on the OAuth setup.

Risk Impact Considerations

Risk severity depends on the settings and flow configured, API scope, and the OAuth client endpoint security.

Higher Risk When

Session controls are not enforced for production orgs, sandbox or developer orgs: Full Access Scope API Lack of IP allow list Single Logout configuration.

Low Risk When

This control can be considered low risk when one or more of the following are implemented:

• Limited API Scope: The API scope of the integration user is restricted based on least privilege
• Periodic Token Refresh: Token is refreshed periodically and enforce secret validation when token is refreshed
• Login IP Allowlist: Restrict the IP address of the connected app to ensure it is from a trusted network.
• Require Proof Key for Code Exchange (PKCE): Ensuring that only the exact client that requested the login can actually use the resulting code.
• Single Logout: Terminate all sessions when a user logs out.

Business and Integration Considerations

Customers should assess the OAuth settings compatibility with the external application, automation tools, and integrations.

Recommended Remediation

Enable secure OAuth flow for connected apps, restrict the connection to trusted networks, and limit the API scope.

Security Health Review Guidance

Security Health Review evaluates OAuth settings by inspecting the type of flows enabled, token rotation settings, single logout, API scope, and IP Allow List login methods to help customers reduce credential-based attack risk and align with Salesforce-recommended security baselines and Zero Trust principles.