Maintain Your Identity & Access Architect Certification for Winter ’23
Learning Objectives
After completing this unit, you’ll be able to:
- Set up server-to-server integrations with the OAuth 2.0 client credentials flow.
- Verify user identity with WebAuthn (FIDO2) security keys.
- Verify your identity to access consumer key and consumer secret.
- Disable users from logging into an org or Experience Cloud site with login credentials as URL query string parameters.
- Block the OAuth 2.0 username-password flow at an org-wide level.
- Rotate the consumer key and consumer secret of a connected app.
Important: In order to maintain your certification, you must complete all five units of this module.
Set Up Server-to-Server Integrations with the OAuth 2.0 Client Credentials Flow
To directly share information between Salesforce and a third-party app, set up the OAuth 2.0 client credentials flow. With this flow, the third party exchanges the client credentials defined in the connected app—its consumer key and consumer secret—for an access token. Since there’s no explicit user interaction in the client credentials flow, it’s useful for scenarios such as running automated reports. We also recommend using this flow as a more secure alternative for the OAuth 2.0 username-password flow.
Where: This change applies to Lightning Experience and Salesforce Classic in all editions.
Verify User Identity with WebAuthn (FIDO2) Security Keys
To meet the latest authentication standards, Salesforce now supports WebAuthn security keys. Users can register a WebAuthn or U2F security key for identity verification. To maintain compatibility with web browsers, previously registered U2F keys adopt WebAuthn APIs when used for the first time after Summer ’22.
Where: This change applies to Lightning Experience, Salesforce Classic, and all Salesforce mobile apps in all editions.
Verify Your Identity to Access Consumer Key and Consumer Secret
For improved security, you’re now required to verify your identity before viewing your connected app’s consumer key and consumer secret, also known as the client ID and client secret. On the connected app’s Manage Connected Apps page, you must complete multi-factor authentication (MFA) using one of your registered identity verification methods before you can see the consumer details. View the consumer details for up to 5 minutes before you're challenged to re-verify your identity.
Where: This change applies to Lightning Experience and Salesforce Classic in all editions.
Disable Users from Logging Into an Org or Experience Cloud Site with Login Credentials as URL Query String Parameters
For improved security, users can no longer log in to Salesforce by using a username and password as URL query string parameters to the login URL. Any users who attempt it are redirected to the login page.
Where: This change applies to Lightning Experience, Salesforce Classic, and the Salesforce Mobile App in all editions.
When: This update was first made available in Winter ’22 and was enforced in Spring ’22.
Who: This update impacts you if your users or integrations log in or authenticate by passing un= and pw= as query string parameters to the login URL.
How: To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Disable Users from Logging in to an Org with Login Credentials as Query String Parameters, enable the test run and note if users have any login or authentication issues. If users are redirected to the login page or see a redirect status code, you must change your login and authentication integrations.
Block the OAuth 2.0 Username-Password Flow at an Org-Wide Level
To keep your org secure, you can block all connected apps in your org from using the OAuth 2.0 username-password flow. We recommend blocking the flow so that developers can’t use it to build new integrations. However, blocking the flow can break any existing integrations that use the flow, such as managed packages and mobile apps. Be sure to audit and test your integrations before blocking to avoid disruptions.
Where: This change applies to Lightning Experience and Salesforce Classic in all editions.
Rotate the Consumer Key and Consumer Secret of a Connected App
Improve the security of your connected apps with minimal app downtime. To keep your consumer key and consumer secret fresh, swap them with new consumer details. Prepare for the new details by generating staged values and sharing them with your connected app integrations. When you’re ready, apply the new consumer details.
Where: This change applies to Lightning Experience and Salesforce Classic in all editions.
Resources
- Salesforce Help: Set up server-to-server integrations with the OAuth 2.0 client credentials flow.
- Salesforce Help: U2F or WebAuthn Security Keys as a Verification Method
- Salesforce Help: Connected Apps
- Salesforce Help: Authorize Apps with OAuth
- Salesforce Help: Login Credentials Using URL Query Strings Are Disabled
- Salesforce Help: Block the OAuth 2.0 Username-Password Flow
- Salesforce Help: Rotate the Consumer Key and Consumer Secret of a Connected App
