Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure the External Client App OAuth Settings: OAuth Scope Least Privilege

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Configure the External Client App OAuth Settings: OAuth Scope Least Privilege

            ECAs allow for highly granular OAuth scopes, which control permissions for the ECA.

            Control Name

            External Client Apps: Configure the External Client App OAuth Settings: OAuth Scope Least Privilege

            Recommended Configuration

            OAuth Scopes - OAuth scopes define permissions for the external client app.

            Control Overview

            ECAs allow for highly granular OAuth scopes, which control permissions for the ECA. Restricting these minimizes the "blast radius."

            Security Risk If Not Configured

            Failing to restrict OAuth scopes results in over-privileged access, where an external application is granted broader permissions than necessary to function. Compromised apps gain access to sensitive PII unnecessarily.

            Threat Scenarios

            An attacker who gains control of a token with the Full scope can bypass UI restrictions to programmatically delete records, export entire customer databases, or modify system configurations.

            Additionally, a "token leak" via an insecure client-side implementation allows malicious actors to impersonate the user across any Salesforce API, not just the specific features intended for the external app.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Massive expansion of the blast radius during a credential theft event, potentially turning a minor localized breach into a total company data loss.

            Higher Risk When

            Apps are assigned "Full Access" by default. If the App is configured for "All users may self-authorize," letting any employee or customer grant broad permissions to unvetted third-party tools.

            Low Risk When

            Use narrow or Custom Scopes that restrict the token to specific, non-destructive actions. Implementing OAuth 2.0 Policy "Admin approved users are pre-authorized" further reduces risk by making sure that only specific profiles or permission sets can use the app, regardless of the scopes requested.

            Business and Integration Considerations

            Strictly defining scopes requires deep coordination between developers and architects to map every API call to its required permission, which can increase initial development time. However, this upfront effort prevents integration debt, where a lack of granularity forces you to grant excessive, unrestricted access to simple tools, creating a long-term security liability that is difficult to untangle later.

            Recommended Remediation

            Review the OAuth Settings of the ECA and select only the specific scopes (for example, api, openid) required for the business function.

            Security Health Review Guidance

            Security Health Review emphasizes the Principle of Least Privilege. Evaluate app requirements to restrict scopes (for example: "Full Access") that could turn a small breach into a catastrophic data loss event.

            See Also

             
            Loading
            Salesforce Help | Article