Use External Client Apps When Connected Apps Won’t Do
Learning Objectives
After completing this unit, you’ll be able to:
- Determine when to use External Client Apps instead of Connected Apps.
- Explain how external client apps securely connect third-party applications with Salesforce data.
Connected or External?
If you’ve ever tried to share data between a third-party application and Salesforce, you’re probably already familiar with connected apps. For many years now, connected apps have been the standard for securely exchanging data between your company’s apps and Salesforce.
To quickly review, a connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as Security Assertion Markup Language (SAML), OAuth, and OpenID Connect. Connected apps use these protocols to authorize, authenticate, and provide single sign-on (SSO) for external applications. The external applications that are integrated with Salesforce can run on the customer success platform, other platforms, devices, or SaaS subscriptions.
For their long history, Connected Apps did just what they were supposed to do, but they were lacking in a few key areas. Some people wanted to maintain control over how a connected app was configured even when it was used across different orgs. It was always easy to share a connected app (they’re globally available to anyone after being created). But there was no good way to control how they were used.
That’s where external client apps come in. External Client Apps pick up where Connected Apps left off. They are designed to be shared securely. Now, you can develop your external client app, package it securely, and optionally distribute it on AppExchange.
What Do These Apps Do Again?
Just like with connected apps, your org can benefit from using external client apps. Here’s how they can help your business.
Access Data with API Integration
When developers or independent software vendors (ISVs) build web-based or mobile applications that need to access data from your Salesforce org, you can use external client apps as the clients to request this data. To do so, create an external client app that integrates with Salesforce APIs.
For example, if you want to build a web-based app that pulls in order status from your Salesforce org, you can create an external client app for it. The external client app, with the help of OAuth 2.0, integrates the web-based app with your Salesforce API, giving it authorized access to the defined data.
Or maybe you want to build a mobile app that looks up customer contact information from your Salesforce org. You can use Salesforce Mobile SDK to implement OAuth 2.0 for your external client app. Your external client app integrates the mobile app with your Salesforce API, and gives it authorized access to the defined data.
Depending on the type of external client app that you’re integrating with the Salesforce API, you can choose from several OAuth 2.0 authorization flows.
Integrate Service Providers with Salesforce
When Salesforce acts as your identity provider, you can use an external client app to integrate your service provider with your org. This is used as a single sign-on process.
Provide Authorization for External API Gateways
Salesforce can act as an independent OAuth authorization server to protect resources hosted on an external API gateway.
Manage Access to Third-Party Apps
If your org uses third-party apps, like the ones from the AppExchange, admins can set security policies to control what data the third-party app can access from your org. Admins can also define who can use the third-party app.
For example, you install a third-party app that allows your org’s users to make travel reservations. By selecting the option “Admin approved users are pre-authorized” for the external client app, you can assign specific user permission sets to the app. Only the users with this user profile can access the app. You can also set a refresh token policy to revoke the travel reservation app’s access to your Salesforce data after a set amount of time.
In addition to setting security policies to manage third-party apps, you can uninstall, and—when necessary—block these apps from the Salesforce org.
Who Uses the Apps and How?
There have always been two broad types of users for connected apps: app developers who create the connected apps (we’ll just call them developers) and administrators for the orgs that subscribe to the connected apps (admins, for short). These user roles were not well-defined in connected apps. The settings that each user type configured were intertwined, and it was impossible to set up permissions to restrict each user to their role.
When it comes to external client apps, developers, as the title suggests, develop and configure external client apps. Admins set the apps up for use in their own org.
It shouldn’t come as a surprise that these two roles often fall to the same person (and one person can certainly have both permission sets), but it’s useful to set up external client apps with distinct users in mind. Thinking about the responsibilities and permissions that each user would need, Salesforce created two types of configurations.
- Settings: Developers control configurations on the Settings tab. They can set default values and take special steps to secure sensitive information like OAuth consumer secrets that keep data safe.
- Policies: Admins control configurations on the Policies tab, which they can use to fine-tune the app for the purposes of their org.
Package Before Shipping
While connected apps are globally available by default, external client apps are secure and local by default. External client apps include a distribution state setting that is configured in the settings file. You can choose from two options for distribution state.
- Local: Can be used only in the context of its org.
- Packaged: Can be added to a second-generation (2GP) managed package and distributed.
Now that you have a better understanding of the differences between connected apps and external client apps, let’s look at how different users help create and distribute an external client app.