Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Salesforce Administrator
hard

Walk me through implementing OAuth for an external integration.

Setting up OAuth so that an external system (say, a custom Node.js service) authenticates to Salesforce.

Steps:

  1. Create a Connected App in Salesforce. Setup -> App Manager -> New Connected App. Required:
  • Name and contact email.
  • Enable OAuth Settings — checked.
  • Callback URL — the URL the external app redirects to after auth (https://app.example.com/oauth/callback). For server-to-server flows, this is sometimes a dummy URL.
  • Selected OAuth Scopes — what the external app can do. Common: api (basic API access), refresh_token (allow refresh), web (web access). Don't grant more than needed.
  1. Save and copy the Consumer Key and Consumer Secret that Salesforce generates.
  1. Choose the OAuth flow:
  • Web Server Flow — for user-facing apps. User clicks Login, gets redirected to Salesforce, approves, redirects back to the callback URL with an authorization code, app exchanges code for access token. Requires a real callback URL.
  • JWT Bearer Flow — for server-to-server with no user. The external app signs a JWT with a private key matching a certificate uploaded to the Connected App. Salesforce returns an access token. Best for scheduled batch jobs.
  • Username-Password Flow — discouraged in modern setups; requires storing user credentials. Only used for legacy backward compatibility.
  • Client Credentials Flow (newer) — for pure machine-to-machine, no user. Configures the app to run as a specific Salesforce integration user.
  1. Configure security policies on the Connected App:
  • Permitted Users — Admin approved (only profiles you grant get access) or All users may self-authorize.
  • IP Relaxation — restrict access to specific IP ranges if known.
  • Session timeout — how long the access token is valid.
  • Refresh token policy — when refresh tokens expire.
  1. Assign the Connected App to a Profile or Permission Set — without this, no user can authorize even if the OAuth flow runs.
  1. Test — make the OAuth call from the external system, exchange tokens, hit a sample API endpoint to confirm.
  1. Monitor — Setup -> Connected Apps OAuth Usage shows daily auth counts, errors, and IP origins.

Common pitfalls:

  • Wrong scopes — choosing full when you only need api is over-permissioned.
  • Long-lived refresh tokens forgotten — periodic rotation is good practice.
  • Mixing user-context vs system-context — the Connected App's behavior depends on which OAuth flow; pick deliberately.
  • My Domain prerequisite — Connected Apps require My Domain to be configured.

Why this answer works

Tests integration depth. Naming the four OAuth flows and their use cases is the strongest signal. The "scopes minimisation" and "My Domain prerequisite" details show production experience.

Follow-ups to expect

Related dictionary terms