Loading...
Loading...
Salesforce Connected Apps and External Client Apps OAuth configuration with 120-point scoring. Use this skill to configure OAuth flows, JWT bearer auth, Connected Apps, and External Client Apps in Salesforce. TRIGGER when: user configures OAuth flows, JWT bearer auth, Connected Apps, ECAs, or touches .connectedApp-meta.xml / .eca-meta.xml files. DO NOT TRIGGER when: configuring Named Credentials for callouts (use building-sf-integrations), reviewing permission policies (use deploying-metadata), or writing Apex token-handling code (use generating-apex).
npx skill4agent add forcedotcom/afv-library configuring-connected-apps.connectedApp-meta.xml.eca-meta.xml| If the need is... | Prefer |
|---|---|
| simple single-org OAuth app | Connected App |
| new development with better secret handling | External Client App |
| multi-org / packaging / stronger operational controls | External Client App |
| straightforward legacy compatibility | Connected App |
| Use case | Default flow |
|---|---|
| backend web app | Authorization Code |
| SPA / mobile / public client | Authorization Code + PKCE |
| server-to-server / CI/CD | JWT Bearer |
| device / CLI auth | Device Flow |
| service account style app | Client Credentials (typically ECA) |
| Template | Use case |
|---|---|
| Simple API integration, minimal OAuth |
| Web app with full OAuth 2.0 configuration |
| JWT bearer / server-to-server |
| Embedding external apps in Salesforce UI (Canvas) |
| ECA header file — all new ECA builds start here |
| ECA global OAuth settings (scopes, PKCE, rotation) |
| ECA per-app OAuth settings |
| ECA configurable policies |
sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>references/security-checklist.mdreferences/testing-validation-guide.mdDUPLICATE_VALUEINVALID_CROSS_REFERENCE_KEYexternalClientApplication.eca-meta.xmlINSUFFICIENT_ACCESS_OR_READONLY| Rule | Rationale |
|---|---|
| Never commit consumer secrets to source control | Credential exposure risk |
Never use | Unnecessary privilege; request only what the app needs |
| Always use PKCE for public clients (mobile, SPA) | Prevents auth code interception |
| Never use wildcard or overly broad callback URLs | Token interception risk |
| ECA OAuth security settings must be retrieved from org before editing | File schema is not fully documented; retrieve-first ensures accuracy |
Use | Org URLs vary per environment |
Detect actual | Projects may not use the default |
sfdx-project.json → packageDirectories<packageDir>/connectedApps/sfdx-project.json| Directory | Metadata type | File suffix |
|---|---|---|
| | |
| | |
| | |
| | |
| | |
| | |
| Gotcha | Detail |
|---|---|
| The global OAuth suffix is abbreviated — using the long form will break deployment |
| Same abbreviation pattern — the general policy suffix is short form |
| Use |
| ECA OAuth security settings are retrieve-only | Cannot be created from scratch in source — always retrieve from org first |
| Spring '26: new Connected Apps disabled by default | New orgs block Connected App creation; use ECA unless explicitly required |
| Consumer key is generated post-deploy | You cannot set the consumer key in metadata — retrieve it after first deployment |
App: <name>
Type: Connected App | External Client App
Flow: <oauth flow>
Files: <paths>
Security: <scopes, PKCE, certs, secrets, IP policy>
Next step: <deploy, retrieve consumer key, or test auth flow>
Score: <x>/120| Need | Delegate to | Reason |
|---|---|---|
| Named Credential / callout runtime config | building-sf-integrations | runtime integration setup |
| Deploy app metadata | deploying-metadata | org validation and deployment |
| Apex token or refresh handling | generating-apex | implementation logic |
| Score | Meaning |
|---|---|
| 80+ | production-ready OAuth app config |
| 54–79 | workable but needs hardening review |
| < 54 | block deployment until fixed |
| File | When to read |
|---|---|
| Step 3 — template for simple Connected App with minimal OAuth |
| Step 3 — template for full OAuth 2.0 Connected App |
| Step 3 — template for JWT bearer / server-to-server Connected App |
| Step 3 — template for Canvas app embedding in Salesforce UI |
| Step 3 — ECA header file template |
| Step 3 — ECA global OAuth settings template (PKCE, rotation, callbacks) |
| Step 3 — ECA per-app OAuth settings template |
| Step 3 — ECA configurable policies template |
| Step 2 — detailed OAuth flow comparison and decision guide |
| Step 4 — full 120-point security scoring checklist |
| Step 5 — pre-deployment validation and testing guide |
| When migrating from Connected App to ECA patterns |
| Full end-to-end examples for common OAuth scenarios |