An application is an oAuth Client / OpenID Connect Relying Party which interacts directly with Users

Application Record

General Settings

NameYesThe application name. Maps to the client_name on Dynamic Client Registration
Realm__cYesThe Realm under which the application lives
ApplicationType__cYesApplciation type. Possible values: web or native
Contacts__cNoList of email addresses for the contacts of this application
ClientUri__cNoA URL shown to users during the consent process to allow to the user to better understand the purpose of the target application
TosUri__cNoFollows OpenID
PolicyUri__cNoFollows OpenID
LogoUri__cNoFollows OpenID

Client credentials

ClientId__cYesA unique identifier for the application. You must ensure that this value is generated by your administrator or through the DCR. Must not be allowed to the end user to choose this value
ClientSecret__cNoOnly required for web applications

oAuth Settings

ResponseTypes__cYesResponse Types which the client commits to use. All other response_types will be rejected
GrantTypes__cYesgrant_types which the client commits to use. All other grant_types will be rejected
RedirectUris__cYesredirect_uris which the client commits to use. All other redirect_uris will be rejected
AccessTokenExpirationTime__cYesExpiration time for access_tokens when this client is the audience. If no value is specified, it'll use the Realm's access_token_expiration_time
AccessTokenSigningAlgValue__cYesAlgorithm to sign the access_token when this application is the audience. A JWK with this algorithm must be available at the Realm JWKS. If no value is specified, it'll use the Realm's access_token_signing_alg_value
RefreshTokenExpirationTime__cYesExpiration time for refresh_tokens issued to this client. Either the value defined by the Realm or the value defined by an adminsitration. If no value is specified, it'll use the Realm's refresh_token_expiration_time
TokenEndpointAuthMethod__cYesAuthentication method used when calling the token_endpoint
TokenEndpointAuthSigning__cNoRequired only when token_endpoint_auth_method is one of private_key_jwt or client_secret_jwt
RevocationEndpointAuthMethod__cYesAuthentication method used when calling the revocation_endpoint
RevocationEndpointAuthSigning__cNoRequired only when revocation_endpoint_auth_method is one of private_key_jwt or client_secret_jwt
IntrospectionEndpointAuthMethod__cYesAuthentication method used when calling the introspection_endpoint
IntrospectionEndpointAuthSigning__cNoRequired only when introspection_endpoint_auth_method is one of private_key_jwt or client_secret_jwt
IsAdminApproved__cNoWhether or not ask users for consent when accessing this client
CodeChallengeMethod__cNoThe Code Challenge which the client uses with the PKCE extension on the authorization flow. It's highly recommended to use PKCE for native apps
RefreshTokenRotation__cNoWhether to issue a new refresh_token on every token_endpont refresh_token flow. To enable refresh_tokens for native clients, you must enable refresh_token_rotation
DefaultAudience__cNoA ResourceServer which will be the audience for all access_tokens generated for this App if no resource is specified in the requests. If blank, the current Client will be the audience

OpenID Connect Settings

IdTokenSignedResponseAlg__cYesSigning algorithm used for id_tokens
IdTokenExpirationTime__cYeslifetime of id_tokens. If no value is specified, it'll use the Realm's id_token_expiration_Time
SubjectType__cYesSubject type generated for the client. Possible values public
ResponseModes__cYesresponse_modes which the client commits to use. All other response_modes will be rejected
IdTokenIncludeClaims__cNoIf checked, the user claims will be automatically included as part of the id_token returned to the application. By default, this is false as per the OpenID Connect specification
IdTokenIncludeInRefreshToken__cNoIf checked, an id_token will be included on the RefreshToken resposne


Jwks__cNoRequired if token_endpoint_auth_methods, revocation_endpoint_auth_method or introspection_endpoint_auth_method has value private_key_jwt.


Client scopes drive two aspects :
  1. The Consent requested from users when applications are not admin_approved
  2. The Protected resources a client can access on behalf of a user
You can assign scopes to an Application which will allow the Application to receive the user claims in the id_token and the userinfo_endpoint response.
Since the scopes are used for authorization, they are stored as an encrypted field (cymscopesc). You can use the UI provided by the CYM-Identity application to assign scopes to Applications or use the Dynamic Client Registration API

Assigned scopes

A list of scopes which the application is allowed to request for the user

Default scopes

A subset of the Assigned scopes which will be used in case the application does not provide a scope parameter in the authorization_endpoint, backchannel_authentication_endpoint or client_credentials requests.

Authentication Context Class Reference

You can assign each client a set of Default ACR values. Since default_acr_values are used to challenge the user, this information is stored in a hidden object. You can use the UI provided by the CYM-Identity application to assign default_acr_values to Applications or use the Dynamic Client Registration API



Client__c has been designed in a way that you can use your organization sharing rules (org-wide, role, sharing rules or manual sharing) for both internal and external.
You can use Salesforce existing capabilities to allow your developers to share the definitions of applications
We strongly recommend that the external sharing be set to Private

Field Level Security

If you deploy Dynamic Client Registration for your external users, you must not provide access to all fields especially fields which relate to your security setup (access_token_expiration_time, refresh_token_expiration_time, ...)
You can only grant access to the mandatory fields and let the endpoint provide read/write access to the standard registration fields. The Dynamic Client Registration endpoint enforces the Realm template values, which can be bypassed if a user has field-level access

Extending the object

Custom Fields

Although you can extend the Client__c object, we recommend that you don't. Creating a mandatory custom field on the object will block Dynamic Client Registration.
We recommend that you create a separate object which has a lookup or MasterDetail relationship with the Client__c object.
Salesforce does not allow extension of the ConnectedApp object for a good reason. These are security objects which should be protected.

Record Types

Creating a new Record type on this object will not work on the standard flows provided by CYM-Identity, which only support ClientApplication and ClientResourceServer.

Picklist values

Similarly to Record Types, creating picklist values for the standard CYM-Identity fields will not work on the standard CYM-Identity fields. For example adding a new JWK Algorithm which is not supported by CYM-Identity will result in errors in the different oAuth / OpenID Connect flows.

If you have specific needs, please get in touch with us and we will gladly help you :)