Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth Flow Enablement: Enable Authorization Code and Credentials Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            OAuth Flow Enablement: Enable Authorization Code and Credentials Flow Control

            This security setting activates a modern OAuth 2.0 extension that lets an application securely exchange a temporary authorization code for access tokens while maintaining a strict link to the application's unique credentials.

            Control Name

            External Client Apps: OAuth Flow Enablement Enable Authorization Code and Credentials Flow

            Recommended Configuration

            Enable Authorization Code and Credentials Flow.

            Control Overview

            This security setting activates a modern OAuth 2.0 extension that lets an application securely exchange a temporary authorization code for access tokens while maintaining a strict link to the application's unique credentials.

            Security Risk If Not Configured

            Without this modernized flow, applications often rely on legacy or less secure methods that do not provide the same level of cryptographic binding between the user's authorization and the specific client application, increasing the risk of token interception.

            Threat Scenarios

            An attacker attempts to use a stolen authorization code to gain access to a protected resource, but the attempt fails because the system requires the specific client application's credentials to complete the handshake.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failing to implement this integrated flow can result in a more fragmented security architecture where tokens are easier to spoof or replay across different sessions.

            Higher Risk When

            For public-facing web applications or mobile apps that must handle high-volume user traffic across untrusted networks where the interception of a simple authorization code is more likely.

            Low Risk When

            If the application already uses the Proof Key for Code Exchange (PKCE) extension to add an additional layer of protection to the standard authorization code flow.

            Business and Integration Considerations

            Implementing this flow requires developers to update their application logic to handle both the user authorization response and the subsequent server-side credential verification simultaneously.

            Recommended Remediation

            Go to the OAuth settings of the External Client App and select the checkbox to turn on the authorization code and credentials flow.

            Security Health Review Guidance

            Security Health Review identifies this flow as a critical security upgrade for complex integrations, so that every token exchange is verified against the identity of the specific application requesting access.

            See Also

             
            Loading
            Salesforce Help | Article