1

I'm writing a web app that prompts the user to sign in to salesforce via oauth consent so I've created a connected app in my organizations instance, and using the generated consumer key and secret key provided to do this.

It allows a user to visit the web app, visit the oauth consent screen, approve access for the web app and return with the app now having an access token.

This is good, but I realized during the OAuth process, I can sign in to any salesforce org. I tested this with another org and the process works. This is fine since I'm intending to distribute this app.

I don't understand what role the org I created the app under plays? Like I said I'm using the provided consumer key/secret keys I copied from my salesforce org from setup -> manage connected apps.

Is it ok to allow anyone to use the app? This is my intention, but I expected to have to publish the app or make it public some how.

rosghub
  • 217
  • 1
  • 7

1 Answers1

2

Yes.

Connected Apps are essentially global metadata. They can be "installed" into specific orgs to allow admins in that org to configure policies for the app, such as preapproved Profiles and Permission Sets. However, for your external application to use the Connected App to authenticate into an org, there's no need to install in the target org. Just keep the Connected App in a single, permanent org that you own, and protect your client secret.

David Reed
  • 92,733
  • 13
  • 84
  • 157
  • I see. Unrelated but do you know if there is a way to add some custom fields, and some apex triggers/classes to an org during installation? My external application depends on these. If not what would I need? – rosghub Aug 07 '20 at 23:58
  • 1
    @jefferson You would want to be delivering a managed package, which the user would install outside the context of your app's OAuth flow. – David Reed Aug 08 '20 at 00:02
  • So I need to do the OAuth for an access token, and direct the user to install a managed package. Is there a way to combine what I'm doing here (getting an access token) and delivering a managed package in to one step? – rosghub Aug 08 '20 at 00:05
  • No, those operations are separate. Your application should not attempt to install its own managed package on the user's behalf. – David Reed Aug 08 '20 at 00:07
  • I understand; but is there a way when installing a managed package to send a notification to my server letting me know it's been installed, and somehow get an access token without user interaction? The goal being minimize steps for the user. – rosghub Aug 08 '20 at 00:09
  • 1
    No, that would be insecure. These steps must be done separately. – David Reed Aug 08 '20 at 00:11
  • Wanted to know one more thing on the connected apps. So my external app depends on 1) a connected app to access data through the API, and 2) a managed package to create some custom fields; Do I need to add the connected app to the managed package? (If I understand your answer correctly I think the answer is no?) And if so will I continue using the consumer key/secret key from my org I created it on? – rosghub Aug 09 '20 at 21:27
  • 1
    No, you don't add it to the package – David Reed Aug 09 '20 at 23:06