Streamline Connected App Integrations with OAuth 2.0 Endpoints (Beta)

As part of OpenID Connect authentication, Salesforce now supports the OAuth 2.0 dynamic client registration and token introspection endpoints. Dynamic client registration allows OpenID Connect client apps to automatically create child OAuth 2.0 connected apps with Salesforce. Token introspection enables client apps to check the current state of an OAuth 2.0 access or refresh token.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Note

Note

As a beta feature, the support of OAuth 2.0 dynamic client registration and token introspection endpoints is a preview and isn’t part of the “Services” under your master subscription agreement with Salesforce. Use this feature at your sole discretion, and make your purchase decisions only on the basis of generally available products and features. Salesforce doesn’t guarantee general availability of this feature within any particular time frame or at all, and we can discontinue it at any time. This feature is for evaluation purposes only, not for production use. It’s offered as is and isn’t supported, and Salesforce has no liability for any harm or damage arising out of or in connection with it. All restrictions, Salesforce reservation of rights, obligations concerning the Services, and terms for related Non-Salesforce Applications and Content apply equally to your use of this feature. You can provide feedback and suggestions for Salesforce Identity Group in the Trailblazer Community. For information about enabling this feature in your org, contact Salesforce.

How: This solution follows the OAuth 2.0 Dynamic Client Registration Protocol and the OAuth 2.0 Token Introspection specification.

After configuring the OAuth 2.0 connected app, contact Salesforce to request an initial access token. Salesforce requires this token to authenticate the dynamic client registration request. For information about configuring these endpoints for Mulesoft Access Management, see Mulesoft Anypoint.

Important

Important

The dynamic client registration and token introspection endpoints support the login.salesforce.com URL only after all instances are upgraded to the Winter ’19 release. If you enable these endpoints before all instances are upgraded to Winter ’19, use a My Domain, community, or instance URL.