OAuth and OpenID Connect Settings
OAuth and OpenID Connect Settings is the Salesforce Setup configuration that controls how the org acts as an OAuth 2.0 and OpenID Connect provider for external applications and how it consumes thos…
Definition
OAuth and OpenID Connect Settings is the Salesforce Setup configuration that controls how the org acts as an OAuth 2.0 and OpenID Connect provider for external applications and how it consumes those protocols when acting as a client. The settings span several related areas: enabling OAuth scopes, configuring OpenID Connect discovery endpoints, setting token expiration policies, managing dynamic client registration, and controlling which OAuth flows are permitted. The page is the master control plane for federated authentication and authorization across the org.
The settings interact closely with Connected Apps (which are individual OAuth client configurations) and Identity Provider settings (for SAML-based federation). Misconfiguration here affects every OAuth integration: token lifetimes that are too long create security risk; flows disabled here break integrations that rely on them; missing scopes prevent integrations from accessing data they need. Most B2B orgs leave the default settings in place; security-sensitive industries tighten beyond defaults based on regulatory requirements.
How OAuth and OIDC Settings governs federation
OAuth scopes available to Connected Apps
The page configures which OAuth scopes are available for Connected Apps to request. Standard scopes include api (access objects), refresh_token (long-lived sessions), full (everything), openid (OpenID Connect), profile, email, address, phone, web (browser-based). Restricting available scopes prevents Connected Apps from requesting more access than your security policy allows.
OpenID Connect Discovery
When Salesforce acts as an OIDC provider, the discovery endpoint exposes metadata that OIDC clients use to configure themselves automatically. The endpoint URL follows the standard /.well-known/openid-configuration format. The settings here control which fields the discovery endpoint exposes; defaults are sufficient for most integration scenarios.
Token expiration policies
Access token lifetime defaults to 2 hours; refresh tokens persist longer (up to indefinite, depending on configuration). Tighter token expiration improves security at the cost of more frequent token refresh round-trips. Regulated industries may set shorter access token lifetimes; standard B2B orgs leave at defaults. Token policies are also configured per Connected App; org-level settings establish the baseline.
Dynamic Client Registration
Dynamic Client Registration lets OIDC clients programmatically register with Salesforce as a provider, without admin intervention per client. Enable for federation scenarios with many client apps (multi-tenant SaaS integrations); leave disabled for orgs with a small known set of integrations to maintain tighter control.
OAuth flows enablement
Several OAuth flows are supported: Web Server Flow, User-Agent Flow, JWT Bearer Token Flow, Username-Password Flow, Refresh Token Flow, Device Flow, Asset Token Flow. Each can be enabled or disabled. The Username-Password Flow is the most security-sensitive; most modern orgs disable it because it requires the client to handle user passwords directly. JWT Bearer is the recommended pattern for server-to-server integrations.
Token introspection and revocation
The page exposes token introspection (clients can check if a token is still valid) and revocation (clients can invalidate tokens before expiration) endpoints. These are standard OAuth extensions; enable both for full integration capability. Disabling introspection makes some integration patterns harder to implement; disabling revocation prevents clients from cleanly logging out.
Audit and monitoring
Setup Audit Trail captures changes to these settings. Identity Provider Event Log captures OAuth events when Salesforce acts as IdP. Login History captures inbound OAuth logins. Event Monitoring streams all of these to external SIEMs. Configure monitoring before opening OAuth widely; without monitoring, OAuth abuse is hard to detect.
Configure OAuth and OpenID Connect Settings
Configuring OAuth and OIDC settings is a deliberate security decision. The steps below cover the standard rollout for a B2B org tightening defaults for production.
- Open the settings
Setup > Identity > OAuth and OpenID Connect Settings. The page shows current configuration.
- Review available scopes
List scopes currently allowed. Restrict to those actually needed; disable scopes no integration uses.
- Set token expiration baseline
Configure access token lifetime. Default 2 hours suits most; shorter for regulated industries.
- Disable Username-Password Flow
Most orgs should disable this flow. Confirm no integration depends on it before disabling; migrate any that do to JWT Bearer.
- Configure Dynamic Client Registration
Leave disabled unless multi-tenant federation is required. Enabling allows external clients to self-register.
- Verify OIDC discovery endpoint
Test the /.well-known/openid-configuration endpoint. Confirm fields are appropriate; default usually sufficient.
- Enable monitoring
Configure Identity Provider Event Log and Login History exports to SIEM. Build alerts on unusual OAuth patterns.
Which scopes Connected Apps can request. Restrict to least privilege.
Access token lifetime, refresh token persistence.
Web Server, User-Agent, JWT Bearer, Username-Password, Device, etc.
Self-service OIDC client registration. High-risk if accidentally enabled.
Metadata endpoint for OIDC client auto-configuration.
- Username-Password Flow requires clients to handle passwords. Disable in most orgs; migrate integrations to JWT Bearer.
- Dynamic Client Registration accidentally enabled allows external self-registration. High security risk; verify before enabling.
- Token expiration trade-off: tighter is more secure but adds refresh overhead. Tune based on integration patterns.
- Scope availability affects all Connected Apps. Restricting a scope breaks every integration depending on it; audit before restricting.
- Monitor OAuth events. Without Identity Provider Event Log and Login History monitoring, OAuth abuse is invisible.
Trust & references
Straight from the source - Salesforce's reference material on OAuth and OpenID Connect Settings.
- Configure an Authentication Provider Using OpenID ConnectSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. Why is understanding OAuth and OpenID Connect Settings important for Salesforce admins?
Q2. What is the primary benefit of OAuth and OpenID Connect Settings for Salesforce administrators?
Q3. Can a Salesforce admin configure OAuth and OpenID Connect Settings without writing code?
Discussion
Loading discussion…