Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Security: Require Secret for Refresh Token Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Security: Require Secret for Refresh Token Flow Control

            This security setting mandates that an application must provide a valid client secret alongside a refresh token to obtain a new, active access token from the Salesforce authorization server.

            Control Name

            External Client Apps: Security: Require secret for Refresh Token Flow

            Recommended Configuration

            Require a secret for Refresh Token Flow.

            Control Overview

            This security setting mandates that an application must provide a valid client secret alongside a refresh token to obtain a new, active access token from the Salesforce authorization server.

            Security Risk If Not Configured

            Without a required secret, a compromised refresh token can be used by an unauthorized actor to generate an endless series of valid sessions without needing any secondary server-side authentication.

            Threat Scenarios

            An attacker extracts a long-lived refresh token from a local device or application log and successfully programmatically generates new access tokens from their own infrastructure because the endpoint does not verify the application's private credentials.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Permitting secret-less refresh cycles allows for persistent, undetected data exfiltration and unauthorized account access that remains active even after a user's initial login session has expired.

            Higher Risk When

            If the application does not implement Refresh Token Rotation (RTR) or if the refresh tokens have an indefinite lifespan, providing a permanent backdoor for an attacker.

            Low Risk When

            If the company enforces strict IP address restrictions for the integration user and uses short-lived refresh tokens that require frequent interactive re-authentication.

            Business and Integration Considerations

            Enabling this requirement makes sure that secrets remain protected on the back-end server, but it prevents public clients like mobile or single-page applications from refreshing sessions directly without a secure proxy.

            Recommended Remediation

            Navigate to the OAuth settings of the External Client App and select the checkbox to require the client secret for the refresh token flow.

            Security Health Review Guidance

            Security Health Review identifies the mandatory use of a client secret for refresh operations as a critical defense-in-depth standard, so that stolen bearer tokens cannot be weaponized without the corresponding private application credential.

            See Also

             
            Loading
            Salesforce Help | Article