An application is an oAuth Client / OpenID Connect Relying Party which interacts directly with Users
| Attribute | Required | Description |
|---|
| Name | Yes | The application name. Maps to the client_name on Dynamic Client Registration |
| Realm__c | Yes | The Realm under which the application lives |
| ApplicationType__c | Yes | Applciation type. Possible values: web or native |
| Contacts__c | No | List of email addresses for the contacts of this application |
| ClientUri__c | No | A URL shown to users during the consent process to allow to the user to better understand the purpose of the target application |
| TosUri__c | No | Follows OpenID |
| PolicyUri__c | No | Follows OpenID |
| LogoUri__c | No | Follows OpenID |
| Attribute | Required | Description |
|---|
| ClientId__c | Yes | A unique identifier for the application. You must ensure that this value is generated by your administrator or through the DCR. Must not be allowed to the end user to choose this value |
| ClientSecret__c | No | Only required for web applications |
| Attribute | Required | Description |
|---|
| ResponseTypes__c | Yes | Response Types which the client commits to use. All other response_types will be rejected |
| GrantTypes__c | Yes | grant_types which the client commits to use. All other grant_types will be rejected |
| RedirectUris__c | Yes | redirect_uris which the client commits to use. All other redirect_uris will be rejected |
| AccessTokenExpirationTime__c | Yes | Expiration time for access_tokens when this client is the audience. If no value is specified, it'll use the Realm's access_token_expiration_time |
| AccessTokenSigningAlgValue__c | Yes | Algorithm to sign the access_token when this application is the audience. A JWK with this algorithm must be available at the Realm JWKS. If no value is specified, it'll use the Realm's access_token_signing_alg_value |
| RefreshTokenExpirationTime__c | Yes | Expiration time for refresh_tokens issued to this client. Either the value defined by the Realm or the value defined by an adminsitration. If no value is specified, it'll use the Realm's refresh_token_expiration_time |
| TokenEndpointAuthMethod__c | Yes | Authentication method used when calling the token_endpoint |
| TokenEndpointAuthSigning__c | No | Required only when token_endpoint_auth_method is one of private_key_jwt or client_secret_jwt |
| RevocationEndpointAuthMethod__c | Yes | Authentication method used when calling the revocation_endpoint |
| RevocationEndpointAuthSigning__c | No | Required only when revocation_endpoint_auth_method is one of private_key_jwt or client_secret_jwt |
| IntrospectionEndpointAuthMethod__c | Yes | Authentication method used when calling the introspection_endpoint |
| IntrospectionEndpointAuthSigning__c | No | Required only when introspection_endpoint_auth_method is one of private_key_jwt or client_secret_jwt |
| IsAdminApproved__c | No | Whether or not ask users for consent when accessing this client |
| CodeChallengeMethod__c | No | The Code Challenge which the client uses with the PKCE extension on the authorization flow. It's highly recommended to use PKCE for native apps |
| RefreshTokenRotation__c | No | Whether to issue a new refresh_token on every token_endpont refresh_token flow. To enable refresh_tokens for native clients, you must enable refresh_token_rotation |
| DefaultAudience__c | No | A ResourceServer which will be the audience for all access_tokens generated for this App if no resource is specified in the requests. If blank, the current Client will be the audience |
| Attribute | Required | Description |
|---|
| IdTokenSignedResponseAlg__c | Yes | Signing algorithm used for id_tokens |
| IdTokenExpirationTime__c | Yes | lifetime of id_tokens. If no value is specified, it'll use the Realm's id_token_expiration_Time |
| SubjectType__c | Yes | Subject type generated for the client. Possible values public |
| ResponseModes__c | Yes | response_modes which the client commits to use. All other response_modes will be rejected |
| IdTokenIncludeClaims__c | No | If checked, the user claims will be automatically included as part of the id_token returned to the application. By default, this is false as per the OpenID Connect specification |
| IdTokenIncludeInRefreshToken__c | No | If checked, an id_token will be included on the RefreshToken resposne |
| Attribute | Required | Description |
|---|
| Jwks__c | No | Required if token_endpoint_auth_methods, revocation_endpoint_auth_method or introspection_endpoint_auth_method has value private_key_jwt. |
Client scopes drive two aspects :
- The Consent requested from users when applications are not
admin_approved - The Protected resources a client can access on behalf of a user
You can assign scopes to an Application which will allow the Application to receive the user claims in the id_token and the userinfo_endpoint response.
Since the scopes are used for authorization, they are stored as an encrypted field (cymscopesc). You can use the UI provided by the CYM-Identity application to assign scopes to Applications or use the Dynamic Client Registration API
A list of scopes which the application is allowed to request for the user
A subset of the Assigned scopes which will be used in case the application does not provide a scope parameter in the authorization_endpoint, backchannel_authentication_endpoint or client_credentials requests.
You can assign each client a set of Default ACR values. Since default_acr_values are used to challenge the user, this information is stored in a hidden object. You can use the UI provided by the CYM-Identity application to assign default_acr_values to Applications or use the Dynamic Client Registration API
Client__c has been designed in a way that you can use your organization sharing rules (org-wide, role, sharing rules or manual sharing) for both internal and external.
You can use Salesforce existing capabilities to allow your developers to share the definitions of applications
We strongly recommend that the external sharing be set to Private
If you deploy
Dynamic Client Registration for your external users, you must not provide access to all fields especially fields which relate to your security setup (access_token_expiration_time, refresh_token_expiration_time, ...)
You can only grant access to the mandatory fields and let the endpoint provide read/write access to the standard registration fields. The Dynamic Client Registration endpoint enforces the Realm template values, which can be bypassed if a user has field-level access
Although you can extend the Client__c object, we recommend that you don't. Creating a mandatory custom field on the object will block Dynamic Client Registration.
We recommend that you create a separate object which has a lookup or MasterDetail relationship with the Client__c object.
Salesforce does not allow extension of the ConnectedApp object for a good reason. These are security objects which should be protected.
Creating a new Record type on this object will not work on the standard flows provided by CYM-Identity, which only support ClientApplication and ClientResourceServer.
Similarly to Record Types, creating picklist values for the standard CYM-Identity fields will not work on the standard CYM-Identity fields. For example adding a new JWK Algorithm which is not supported by CYM-Identity will result in errors in the different oAuth / OpenID Connect flows.
If you have specific needs, please get in touch with us and we will gladly help you :)