Use custom OAuth 2.0 authentication

OAuth 2.0 (Open Authorization 2.0) is an open standard for access delegation, commonly used to grant third-party applications limited access to a user’s resources without exposing their credentials. It allows secure access to a resource on behalf of a user while maintaining data protection and minimizing security risks.

OAuth 2.0 requires a browser for one-time user consent. The user must authorize the application’s request to access their data through a browser. Once consent is granted, the application can use the refresh token to maintain access without requiring further browser-based authentication.

Salesforce supports two approaches for configuring OAuth access:

  • Connected Apps – The standard option for most OAuth integrations. A connected app is typically used for user-based authentication flows, where a user signs in through a browser, grants consent, and the application receives OAuth tokens such as an access token and refresh token.
  • External Client Apps – An alternative option that supports additional OAuth scenarios, including server-to-server authentication through the Client Credentials flow. This approach provides more granular control over OAuth flow enablement, client secret requirements, and policy settings for issuing tokens on behalf of a specified user.

Create a connected app in Salesforce for OAuth

Create a connected app to enable OAuth-based integration and allow external applications to securely access Salesforce data:

1. Log in to Salesforce, then navigate to Setup.

2. In the Quick Find search box, type App, then select App Manager.

Create a custom OAuth App in Salesforce

3. Select New Connected App.

4. In the dialog that appears, select Create a Connected App, then click Continue.

Create a Connected App

5. In the Basic Information section, provide the following details:

  • Connected App Name: A unique identifier for your application, displayed to users during authentication.
  • API Name: An automatically generated value based on the app name.
  • Contact Email: A support email address for inquiries and notifications.

Salesforce App Manager

6. Under API (Enable OAuth Settings), select Enable OAuth Settings, then enter a Callback URL - http://localhost:56420.

7. Under Selected OAuth Scopes, select the necessary permissions for your application by clicking Add. Commonly used scopes include:

  • refresh_token and offline_access: This scope allows the application to refresh access tokens without requiring user reauthentication.
  • api: This scope grants access to Salesforce APIs for data retrieval and manipulation.
  • full: This scope provides full access to Salesforce data, including read and write permissions.

8. Click Save to create the Connected App.

Obtain OAuth client credentials for connected app connection

1. Navigate to the App Manager, locate your app, then click View.

2. Next to Consumer Key and Secret, select Manage Consumer Details.

A page opens displaying your Consumer Key (Client ID) and Consumer Secret.

Salesforce - Manage Consumer Details

Create an external client app in Salesforce

1. Log in to Salesforce, then navigate to Setup.

2. Navigate to Apps > External Client Apps > External Client App Manager, then select New External Client App.

Select New External Client App

3. Under Basic Information, specify the required details. In Distribution State, select Local.

4. Under API (Enable OAuth Settings):

  • Select Enable OAuth
  • Enter a Callback URL: http://localhost:56420
  • Add OAuth Scopes:
    • Manage user data via APIs (api)
    • Perform requests at any time (refresh_token, offline_access)

Enable Salesforce OAuth Settings

5. In Flow Enablement, select the option that matches your authentication scenario:

  • Enable Authorization Code and Credentials Flow – for user-based authentication.
  • Enable Client Credentials Flow – for server-to-server authentication.

6. In Security:

  • For user-based authentication:
    • Select Require secret for Web Server Flow.
    • Select Require secret for Refresh Token Flow.
  • For server-to-server authentication:
    • Clear all checkboxes.

Configure Salesforce OAuth Security Settings

7. Click Create.

Configure an external client app for the OAuth 2.0 client credentials flow

In server-to-server authentication, the client application uses the consumer key and consumer secret defined in the external client app to request an access token. You must specify the integration user whose permissions will be used when accessing Salesforce data.

1. Open the created external client app.

2. On the Policies tab, click Edit.

3. In OAuth Policies, select Enable Client Credentials Flow.

4. Specify the user on whose behalf tokens will be issued.

5. Click Save.

Configure External Client App for OAuth client credentials flow

Obtain OAuth client credentials for external client app connection

1. Navigate to Apps > External Client Apps > External Client App Manager.

2. Locate your app and open it.

3. Select Settings > OAuth Settings > Consumer Key and Secret.

4. Copy and store the consumer details.

Connect with OAuth client credentials

Configure a DSN for Salesforce using the obtained consumer key and secret.

Connect on Windows

1. In ODBC Data Source Administrator, create a DSN for Devart ODBC Driver for Salesforce.

2. In the Devart ODBC Driver for Salesforce Configuration dialog, specify the connection details:

  • Data Source Name – Enter a name for the DSN.
  • Server – Specify the Salesforce instance (for example, https://login.salesforce.com).
  • Authentication – Select OAuth 2.0.
  • Consumer Key – Enter the public identifier of your custom application in Salesforce.
  • Consumer Secret – Enter the private key of your custom application in Salesforce used together with the consumer key for authentication and verification.
  • Refresh Token – Click Sign in to Salesforce, log in with your Salesforce username and password, and authorize the application. The Salesforce refresh token appears in the field.

3. Click OK to save the DSN settings.

: Configure connection on Windows

Connect on macOS

1. In Devart ODBC Administrator, create a DSN for Devart ODBC Driver for Salesforce.

2. In the Devart ODBC Driver for Salesforce Configuration dialog, specify the connection details:

  • Data Source Name – Enter a name for the DSN.
  • Server – Specify the Salesforce instance (for example, https://login.salesforce.com).
  • Authentication – Select OAuth 2.0.
  • Consumer Key – Enter the public identifier of your custom application in Salesforce.
  • Consumer Secret – Enter the private key of your custom application in Salesforce used together with the consumer key for authentication and verification.
  • Refresh Token – Click Sign in to Salesforce, log in with your Salesforce username and password, and authorize the application. The Salesforce refresh token appears in the field.

3. Click OK to save the DSN settings.

: Configure connection on macOS

Connect on Linux

1. In Devart ODBC Administrator, create a DSN for Devart ODBC Driver for Salesforce.

2. In the Devart ODBC Driver for Salesforce Configuration dialog, specify the connection details:

  • Data Source Name – Enter a name for the DSN.
  • Server – Specify the Salesforce instance (for example, https://login.salesforce.com).
  • Authentication – Select OAuth 2.0.
  • Consumer Key – Enter the public identifier of your custom application in Salesforce.
  • Consumer Secret – Enter the private key of your custom application in Salesforce used together with the consumer key for authentication and verification.
  • Refresh Token – Click Sign in to Salesforce, log in with your Salesforce username and password, and authorize the application. The Salesforce refresh token appears in the field.

3. Click OK to save the DSN settings.

: Configure connection on Linux