Configuring Client Credentials Flow in Salesforce

The OAuth 2.0 Client Credentials Flow allows seamless information sharing between two applications without requiring user input. In this flow, a client application exchanges its credentials (client ID and client secret) for an access token, enabling secure access to a target Salesforce org.

Steps to Configure the Client Credentials Flow

In the Target Org: Setting Up the Connected App

  1. Create a Connected App:
    • Navigate to Setup > App Manager > New Connected App.
    • Specify the app name and other basic details.
  2. Enable OAuth Settings:
    • Check the Enable OAuth Settings box.
    • Add the Access the Salesforce API Platform scope.
  3. Enable Client Credentials Flow:
    • Check the Enable Client Credentials Flow box.
    • Save the settings to generate a Client ID and Client Secret.

In the Source Org: Setting Up External Credential and Named Credential

  1. Create an External Credential:
    • Navigate to Setup > External Credentials > New External Credential.
    • Select Client Credentials with Client Secret Flow as the Authentication Flow Type.
    • Add the Client ID and Client Secret from the target org as Principals.
  2. Create a Named Credential:
    • Navigate to Setup > Named Credentials > New Named Credential.
    • Choose the External Credential created earlier.
    • Set the URL to the target org’s domain (e.g., https://mycustomdomain.my.salesforce.com).
  3. Utilize the Named Credential:
    • Use this Named Credential in Apex or Flow to call the target org’s REST API as required.

Enabling OAuth Client Credentials Flow

Configuration Process

  1. Navigate to Setup > External Client Apps Manager.
  2. Locate your external client app and select Edit Settings from the actions dropdown.
  3. In the OAuth Settings section:
    • Check Enable OAuth.
    • Select Enable Client Credentials Flow.
  4. Save the settings.

Security Considerations

  • Protect your Consumer Key and Consumer Secret, as they provide access to the target org.
  • Regularly rotate the consumer secret to maintain security. If compromised, change it immediately.
  • Refer to OAuth Client Credentials Rotation for External Client Apps for best practices.

Expanded Availability for More Editions

Previously limited to Enterprise Edition due to the API Only User permission, the client credentials flow is now available in all editions, including Professional, Performance, Unlimited, and Developer Editions.

How This Works Across Editions

  • Specify an execution user in the Run As field of the connected app.
  • For Enterprise Edition orgs, it’s recommended (but not required) to assign a user with the API Only User permission for execution.

User Permissions Needed

  • To configure an external client app: Create, Edit, and Delete External Client Apps.
  • To enable or disable plugins, ensure the external client app is installed in your Salesforce org.

For more information, consult Salesforce documentation or your system administrator.

Related Posts
Salesforce OEM AppExchange
Salesforce OEM AppExchange

Expanding its reach beyond CRM, Salesforce.com has launched a new service called AppExchange OEM Edition, aimed at non-CRM service providers. Read more

The Salesforce Story
The Salesforce Story

In Marc Benioff's own words How did salesforce.com grow from a start up in a rented apartment into the world's Read more

Salesforce Jigsaw
Salesforce Jigsaw

Salesforce.com, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more

Health Cloud Brings Healthcare Transformation
Health Cloud Brings Healthcare Transformation

Following swiftly after last week's successful launch of Financial Services Cloud, Salesforce has announced the second installment in its series Read more

Share
author avatar
get-admin
See Full Bio