Create a Connected App

A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as Security Assertion Markup Language (SAML), OAuth, and OpenID Connect.

Connected apps use these protocols to authorize, authenticate, and provide single sign-on (SSO) for external apps.

Salesforce performs two process before allowing the external application to access its data:

Authentication/Authorization process(using SF credential including customer id and secret key provided by the user) that generates the authorization code.

Access token process: using the authorization code, user can request for access token from SF.

Finally using the access token, the user can request access to the data.

OpenID Connect:

To integrate a service provider with your Salesforce org, you can use a connected app that implements OpenID Connect for user authentication.

To use this option, the service provider must accept OpenID Connect tokens.

Configure a connected app with the OpenID Connect scope for your service provider. The OpenID Connect scope passes user information in an ID token.

Users can then log in to the external app with their Salesforce or Communities credentials.

For example, you want your users to sign on directly from your Salesforce org to an external Wellness Tracker app that accepts OpenID Connect. So you create a connected app for the Wellness Tracker app. For the connected app, you enable OAuth settings, select the “Allow access to your unique identifier (openid)” scope, and configure an ID token. This configuration enables the SSO flow for your Wellness Tracker app by integrating the service provider with your Salesforce org.

1. Create your connected app, and complete its basic information.

2. Configure the necessary OAuth settings for the connected app.

3. Select the Allow access to your unique identifier (openid) scope to apply to the connected app.

4. Select Configure ID token.

5. With the primary ID token setting enabled, configure the secondary settings that control the ID token contents in both access and refresh token responses. Specify these settings. Setting Description Token Valid for The length of time that the ID token is valid for after it’s issued. The period can be from 1 to 720 minutes. The default is 2 minutes. ID Token Audiences The intended consumers of the ID token. For example, the target service where you use the ID token, such as https://your_service.com. Include Standard Claims Include the standard claims that contain information about the user, such as the user’s name, profile, phone number, and address. The OpenID Connect specifications define a set of standard claims to be returned in the ID token. Include Custom Attributes If your app has specified custom attributes, include them in the ID token. Include Custom Permissions If your app has specified custom permissions, include them in the ID token.

• To automatically log users out of the service provider when they log out of Salesforce, select Enable Single Logout.

• Enter the single logout endpoint of the service provider. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL starting with https://.

• When you’ve configured all settings for your connected app, click Save.

OpenID Connect Dynamic Client Registration and Token Introspection

Dynamic client registration enables resource servers to dynamically create client apps as connected apps. The client apps are external applications requesting access to the protected resources.

To dynamically create client apps as connected apps, the resource server sends the authorization server(SF) a request to create a connected app for the client app.

The authorization server verifies the resource server’s request and creates the connected app, giving it a unique client ID and client secret.

Token introspection allows all OAuth connected apps to check the current state of an OAuth 2.0 access or refresh token.

The resource server or connected apps send the client app’s client ID and secret to the authorization server, initiating an OAuth authorization flow.

As part of this flow, the authorization server validates (or introspects) the client app’s access token. If the access token is current and valid, the client app is granted access.

How External API Gateway Authorization Flows

1. Your Order Status API is available on MuleSoft’s API portal.

2. Your partners log in to MuleSoft and create a client application to access the Order Status API.

3. The new client app automatically sends a request to the Salesforce dynamic client registration endpoint to create a connected app for the client app.

4. After a successful registration, Salesforce returns a client ID and client secret for the connected app, which is shared with the partner.

5. The partner sends a request with the client credentials to the API gateway by specifying the grant type (authorization code) to approve the client with.

6. The partner is redirected to a browser to log in to Salesforce, and to authorize access to data. This authorization is based on scopes associated with the corresponding connected app in Salesforce.

7. With a successful authorization code grant flow, Salesforce sends an access token to the client app.

8. The client app sends its access token to the API gateway, requesting access to the protected order status data.

9. The API gateway extracts the access token and sends it to the Salesforce token introspection endpoint.

10. Salesforce validates the access token.

11. The API gateway grants the client app access to the data protected by your Order Status API hosted on MuleSoft.

https://trailhead.salesforce.com/content/learn/modules/connected-app-basics

https://trailhead.salesforce.com/en/content/learn/projects/build-a-connected-app-for-api-integration