FAQ-000436 - Connected App Security / OAuth and Authentication Flows

Here are the comprehensive security best practices for implementing OAuth and authentication flows with Connected Apps: **OAuth Implementation Standards:** 1. **Use OAuth as Preferred Method**: OAuth is the preferred mechanism for third-party integrations with Salesforce. Avoid using session IDs for external API calls 2. **Least Privilege Principle**: Request only the minimum necessary permissions for the app's use case. Define OAuth scopes carefully to avoid overly permissive access 3. **Proper Authorization**: Ensure the app is authorized to make calls on behalf of the user without exceeding permissions stated during installation **Secure Authentication Practices:** 1. **Avoid Insecure Flows**: Do not use device flow or username-password flow. Use secure OAuth flows with appropriate app scopes 2. **JWT Bearer Flow**: Use JWT Bearer Flow as a recommended alternative to passing user session IDs for server-to-server integration 3. **No Credential Storage**: Never store Salesforce usernames and passwords via OAuth flow or any other method 4. **Use OAuth Tokens**: For API calls, obtain OAuth tokens instead of using logged-in user's session ID **Secure Storage and Encryption:** 1. **Server-Side Apps**: Encrypt secrets using AES-128 or higher. Store encryption keys securely with separation between application and database layers 2. **Client-Side Apps**: Use vendor-provided secure storage solutions like keychains or keystores. Avoid storing secrets in browser apps 3. **Protected Storage**: Store OAuth secrets and sensitive tokens in protected custom settings or metadata **Communication Security:** 1. **Enforce HTTPS**: Ensure all callback URLs and callouts use HTTPS for secure communication. Meet certificate and SSL configuration requirements 2. **Validate Redirection**: Validate and sanitize all redirection parameters to prevent vulnerabilities 3. **Limit Data Transmission**: Avoid transmitting sensitive data outside the Salesforce platform unless absolutely necessary **Implementation Best Practices:** 1. **Dynamic Connected Apps**: Package connected apps within applications to avoid manual customer setup. Use Developer Edition org to create and configure apps 2. **User Consent**: Configure OAuth flow to require user consent for data access. Clearly explain authorization levels required 3. **Pre-Authorization**: Use "Admin approved users are pre-authorized" option in OAuth policies to streamline authentication 4. **Multi-Org Support**: Package connected apps within applications for multi-org authentication without requiring individual connected apps **Security and Compliance:** 1. **Protect Sensitive Information**: Ensure sensitive information like cryptographic secrets or API credentials is not written to debug logs 2. **Document Permissions**: Follow and document the principle of least privilege for permissions 3. **Use Supported Cryptography**: Encrypt sensitive data using supported cryptography APIs, avoiding custom implementations 4. **Thorough Testing**: Test apps to ensure compliance with Salesforce's security policies and guidelines 5. **Regular Security Scans**: Conduct security assessments and address vulnerabilities before submission **Connected App Configuration:** 1. **Create Proper Setup**: Log in to Developer Edition org, create Connected App via App Manager, configure required fields and X.509 certificate 2. **Record Credentials**: Save Consumer Key and Consumer Secret values securely 3. **Package Integration**: Include Connected App as component in package with Installation URL 4. **Restrict Access**: Configure to restrict access to specific profiles or permission sets