OAuth and OpenID Connect Settings
OAuth and OpenID Connect Settings is a Setup page where administrators configure global OAuth 2.0 and OpenID Connect settings for the org. This includes enabling or disabling OAuth features, config…
Definition
OAuth and OpenID Connect Settings is a Setup page where administrators configure global OAuth 2.0 and OpenID Connect settings for the org. This includes enabling or disabling OAuth features, configuring token policies, managing allowed OAuth flows, and setting up OpenID Connect discovery endpoints.
In plain English
“Here's a simple way to think about it: OAuth and OpenID Connect Settings control how external apps actually get tokens. Token lifetimes, refresh-token policies, allowed grant types - every external authentication transaction passes through this configuration.”
Worked example
The admin at Apex Dynamics configures OAuth and OpenID Connect Settings to disable the Username-Password OAuth flow for security reasons, enforce refresh token rotation, and set access token lifetimes to 2 hours. These settings apply to all Connected Apps in the org, ensuring consistent security across all OAuth-based integrations.
Why OAuth and OpenID Connect Settings control how external apps actually get tokens
Connected Apps define which external apps can talk to your Salesforce; OAuth and OpenID Connect Settings define the rules of engagement. Token lifetimes, refresh-token policies, allowed grant types, OpenID Connect discovery configuration - every external authentication transaction passes through the policy this page describes. Default settings cover most cases; tighten them and you can lock down token behavior in ways that materially change your security posture.
The reason it deserves attention is that integrations break loudly when these settings change unexpectedly. Shorten a refresh token's lifetime and integrations that haven't reauthenticated in months suddenly start failing; disable an OAuth flow and the apps that use it lose access immediately. Plan changes here as you'd plan a database migration: identify dependents, test in a sandbox, document the rollback, and communicate before flipping the switch.
How to set up OAuth and OpenID Connect Settings
OAuth and OpenID Connect Settings configure org-wide OAuth behavior — token lifetimes, scopes available to Connected Apps, OpenID Connect (OIDC) discovery endpoints. It's a foundation page for SSO and integration scenarios.
- Open Setup → OAuth and OpenID Connect Settings
Setup gear → Quick Find: OAuth → OAuth and OpenID Connect Settings.
- Configure Allow OAuth Username-Password Flows
Username-Password OAuth flow is a legacy, less-secure flow. Modern best practice is to disable it and use the standard authorization code flow with PKCE.
- Configure Token Lifetimes
Access token lifetime, refresh token lifetime. Shorter = more secure, more re-auths.
- Configure available OAuth scopes
Custom scopes can be defined. Some standard scopes (api, openid, refresh_token) are always available.
- Configure OpenID Connect Token Settings
OIDC issuer URL, ID token claims, signing algorithm.
- Save
Settings apply org-wide to all Connected Apps.
Legacy flow. Recommend OFF in modern orgs.
Access token + refresh token lifetimes.
Standard + custom scopes.
Issuer, claims, signing.
- Disabling Username-Password OAuth Flows breaks legacy integrations that hardcoded that flow. Audit before disabling — old SOAP-based integrations frequently use it.
- Short access token lifetimes force frequent re-auths. Most modern integrations expect 1-2 hour access tokens; setting it to 15 minutes breaks polling integrations.
- OIDC settings affect every Connected App that uses OIDC. Changing the signing algorithm post-deployment requires every downstream app to refresh its trust — coordinate widely.
How organizations use OAuth and OpenID Connect Settings
Tightened refresh-token lifetime to 30 days after a security review; integrations needing longer tokens were upgraded to OAuth refresh patterns.
Disabled deprecated OAuth flows after security audit; only modern grant types remain enabled.
Trust & references
Straight from the source - Salesforce's reference material on OAuth and OpenID Connect Settings.
- Configure an Authentication Provider Using OpenID ConnectSalesforce Help
Test your knowledge
Q1. Why is understanding OAuth and OpenID Connect Settings important for Salesforce admins?
Q2. What is the primary benefit of OAuth and OpenID Connect Settings for Salesforce administrators?
Q3. Can a Salesforce admin configure OAuth and OpenID Connect Settings without writing code?
Discussion
Loading discussion…