Definition
OAuth and OpenID Connect Settings is a Setup page where administrators configure global OAuth 2.0 and OpenID Connect settings for the org. This includes enabling or disabling OAuth features, configuring token policies, managing allowed OAuth flows, and setting up OpenID Connect discovery endpoints.
Real-World Example
The admin at Apex Dynamics configures OAuth and OpenID Connect Settings to disable the Username-Password OAuth flow for security reasons, enforce refresh token rotation, and set access token lifetimes to 2 hours. These settings apply to all Connected Apps in the org, ensuring consistent security across all OAuth-based integrations.
Why OAuth and OpenID Connect Settings Matters
OAuth and OpenID Connect Settings is a centralized Setup page where Salesforce administrators configure org-wide policies for OAuth 2.0 and OpenID Connect protocols. These settings govern global behaviors such as which OAuth flows are permitted (and which are disabled for security), access token expiration durations, refresh token policies including rotation requirements, and OpenID Connect discovery endpoint configuration. Changes here affect every Connected App in the org, making it a powerful lever for enforcing consistent security standards across all integrations without modifying each app individually.
As an org's integration landscape grows, centralized OAuth governance becomes essential for security compliance. Without reviewing these settings, organizations may unknowingly allow insecure flows like the username-password grant, permit indefinite refresh tokens, or expose OpenID Connect endpoints that enable unintended identity federation. Security auditors frequently flag these settings as a first checkpoint during Salesforce security assessments. Organizations that proactively configure these settings — disabling deprecated flows, enforcing token rotation, and limiting token lifetimes — dramatically reduce their exposure to credential theft, unauthorized API access, and compliance violations in regulated industries.
How Organizations Use OAuth and OpenID Connect Settings
- Apex Dynamics Fintech — Apex Dynamics' security team disables the Username-Password OAuth flow in org-wide settings after a penetration test flags it as a risk. They enforce refresh token rotation and set access tokens to expire after 2 hours. These changes apply across all 12 Connected Apps in the org without modifying each app's individual configuration, ensuring a consistent security baseline.
- NovaCorp Healthcare — NovaCorp's compliance officer configures OAuth settings to disable implicit grant flow and require PKCE (Proof Key for Code Exchange) for all public client applications. They also set the OpenID Connect discovery endpoint to expose only required claims, preventing external apps from requesting excessive user profile data. These settings help satisfy HIPAA audit requirements.
- GlobalTrade Logistics — GlobalTrade's admin sets a 30-day refresh token expiration in OAuth and OpenID Connect Settings after discovering that former employee integrations still had active refresh tokens months after departure. The policy now requires all integrations to re-authenticate monthly, and the admin schedules quarterly reviews of active tokens alongside the Connected App inventory.