Data Loader OAuth 2.0 Device Flow Removal

Julkaisupäivä: Apr 2, 2026

Kuvaus

Salesforce will remove support in the auto-installed Data Loader Connected App for the OAuth 2.0 Device Flow for authentication on September 2, 2025. There will be no exceptions or extensions to this removal. This change is part of Salesforce's commitment to making our products and services secure-by-default.

Currently, Data Loader allows users to authenticate using three mechanisms:

Password authentication
OAuth 2.0 Device Flow
OAuth 2.0 User-Agent Flow

After the removal, users will no longer be able to authenticate using OAuth 2.0 Device Flow.

Who does this change impact?

OAuth 2.0 Device Flow authentication was introduced in Data Loader v53.0.1. Users of Data Loader v53.0.1 or later will no longer be able to authenticate using OAuth 2.0 Device Flow.

What won't be impacted?

Use of password authentication or OAuth 2.0 User-Agent Flow is not impacted by this change. Users of these authentication methods don’t need to take any action.

Authentication via command line with encrypted passwords is not impacted.

Impact for users with SSO and MFA

Users that authenticate with SSO and MFA will need to upgrade to Data Loader v64.1.0 and use OAuth 2.0 Web Server Flow with PKCE.

If version 64.1.0 is not yet available and you cannot wait, you can upgrade to version 64.0.2 until 64.1.0 is available. To use 64.0.2 with SSO and MFA, you will need to configure a custom External Client Application as described here to enable use of the OAuth 2.0 Web Server Flow with PKCE.

Permissions clarification

Will users with "Use Any API Client" or "Approve Uninstalled Connected Apps" permissions be able to use device flow authentication in Data Loader?

No. Device Flow will be disabled for all users and all versions of Data Loader.

Logging into Data Loader before the change

When a user first performs an operation, such as inserting data, they are asked to log in using either OAuth or password authentication.

Login screen showing two options: "OAuth" button and "Standard Login" button, prompting the user to choose an authentication method when performing a Data Loader operation.

The OAuth flow used to log in depends on which of the two OAuth flows Data Loader is configured to use in Settings.

Data Loader Settings panel showing the "Enable OAuth login from browser" checkbox. When selected, OAuth 2.0 Device Flow is used; when deselected, OAuth 2.0 User-Agent Flow is used.

The Enable OAuth login from browser checkbox specifies which flow to use:

If it’s selected, the OAuth 2.0 Device Flow is used.
If it’s deselected, the OAuth 2.0 User-Agent Flow is used.

Note: In Data Loader v64.0.2, Enable OAuth login from browser doesn't work. Only OAuth 2.0 Device Flow and password authentication are available.

Ratkaisu

Users currently using OAuth 2.0 Device Flow must switch to a supported authentication method or upgrade Data Loader.

Logging into Data Loader after the change

Users currently logging into their org with Data Loader and using OAuth 2.0 Device Flow will be impacted. After the removal of OAuth 2.0 Device Flow, attempting to log in will fail with the errors listed below and users will remain on the login screen.

Based on the Data Loader version, users might encounter one of the following errors:

Error: Unable to complete browser based OAuth login. Contact your Salesforce admin.
We can’t authorize you because of an OAuth error. For more information, contact your Salesforce administrator.
OAUTH_APPROVAL_ERROR_GENERIC: An unexpected error has occurred during authentication. Please try again.
Error: Check your username and password+Security Token, entered in the form
Error: Check your username and password. If you still can’t log in, contact your Salesforce
OAuth Error. We can’t authorize you because of an OAuth error. For more information, contact your Salesforce administrator.
1800: There was a problem in setting up your remote access.

These users must update their authentication to either password authentication or OAuth 2.0 User-Agent Flow to be able to authenticate. Users of Data Loader v64.0.2 will only be able to use password authentication. Alternatively, users can install the new version of Data Loader.

Data Loader login screen showing the OAuth and Standard Login options. After the removal of OAuth 2.0 Device Flow, clicking OAuth with Device Flow configured will result in an authentication error.

Change to OAuth 2.0 User-Agent Flow

To configure Data Loader to use the OAuth 2.0 User-Agent Flow, uncheck the Enable OAuth login from browser checkbox in Settings.

Data Loader Settings panel with the "Enable OAuth login from browser" checkbox unchecked, configuring Data Loader to use OAuth 2.0 User-Agent Flow instead of Device Flow.

When logging in with the OAuth 2.0 User-Agent Flow, users enter their org username and password in the dialog.

OAuth 2.0 User-Agent Flow login dialog prompting the user to enter their Salesforce org username and password.

Change to use Password Authentication

Users who select password authentication on the Data Loader log in screen must enter their org username along with a password concatenated with a security token. Refer to this documentation on how to obtain the security token.

Data Loader password authentication login screen prompting the user to enter their org username and password concatenated with a security token.

Install new version of Data Loader

On September 2, 2025, Salesforce released Data Loader v64.1.0. This version allows users to authenticate using one of two mechanisms:

OAuth 2.0 Web Server Flow with PKCE (default)
Password authentication

Data Loader v64.1.0 doesn't support OAuth 2.0 Device Flow or OAuth 2.0 User-Agent Flow.

Salesforce strongly advises all Data Loader users to upgrade to v64.1.0 as soon as possible following its release.

If you are using Data Loader with the auto-installed Connected App, Data Loader v64.1.0 will work after installation with no further configuration required.

If you are using Data Loader with a custom Connected App, then contact your org administrator to configure that Connected App to use OAuth 2.0 Web Server Flow with PKCE. If this configuration change isn’t made, then Data Loader v64.1.0 will only allow password authentication to be used.

If you encounter an authorization error when first logging in using Data Loader v64.1.0, close and re-open your browser.

How do I know if I’m using the auto-installed Connected App?

Open Data Loader Settings and scroll down to the Client ID settings. If the Client ID settings are set to DataLoaderPartnerUI/ and DataLoaderBulkUI/, then Data Loader is using the auto-installed Connected App.

Data Loader Settings panel showing the Client ID fields set to "DataLoaderPartnerUI/" and "DataLoaderBulkUI/", confirming that the auto-installed Connected App is in use.

If they are set to different values, then Data Loader is using a custom Connected App.

What configuration changes are required for a custom Connected App?

The Connected App must have these configuration values to work with Data Loader v64.1.0:

Set the Callback URL field to:
http://localhost:7171/OauthRedirect
Enable:
- Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows
Disable:
- Require secret for Web Server Flow
- Enable for Device Flow

Ensure that Device Flow is disabled to improve security and protect against common attacks.

Below is an example of a correctly configured auto-installed Connected App.

Example of a correctly configured Connected App for Data Loader v64.1.0

Knowledge-artikkelin numero

005132367

Ratkaisiko tämä artikkeli ongelmasi?

Anna palautetta, jotta voimme kehittyä!