DEV Community

hailports
hailports

Posted on

Auditing Connected Apps and OAuth Scopes in Salesforce

#salesforce #security 
# Auditing Connected Apps and OAuth Scopes in Salesforce

As a senior Salesforce administrator, I've had the privilege of managing complex Salesforce environments for organizations with multi-billion dollar revenue. One critical aspect of this role is ensuring that our systems are secure and properly configured to protect sensitive data. In today’s digital landscape, connected apps and OAuth scopes play pivotal roles in connecting external applications to your Salesforce orgs, enabling seamless integrations while maintaining security.

In this article, I will walk you through the essential steps for auditing connected apps and OAuth scopes within Salesforce. We’ll cover best practices, real SOQL queries, specific configuration steps, and how these measures can help safeguard your organization's data. By the end of this guide, you'll be well-equipped to review and secure your own Salesforce environments.

## Understanding Connected Apps

Connected apps are external applications that interact with Salesforce APIs. They typically include a consumer key, consumer secret, and other credentials necessary for authentication and authorization. These apps can access various parts of your org based on the OAuth scopes they request.

### Key Components of a Connected App
- **Consumer Key**: A unique identifier for the app.
- **Consumer Secret**: Used to secure API requests.
- **Callback URL**: The endpoint where Salesforce redirects after authentication.
- **Authorization Scopes**: Defines what permissions the connected app needs (e.g., `api`, `refresh_token`).

## Auditing Connected Apps

### Step 1: List All Connected Apps
To start, we need a list of all connected apps in your org. You can query this information using SOQL.
Enter fullscreen mode Exit fullscreen mode


sql
SELECT Id, Name, ConsumerKey, CallbackURL, Status FROM ConnectedAppMetadata WHERE IsDeleted = FALSE


This SOQL query retrieves details about active (non-deleted) connected apps in the org.

### Step 2: Evaluate OAuth Scopes
Next, we need to examine the OAuth scopes each app is requesting. These can be found by querying the `ConnectedApp` object and its related fields.
Enter fullscreen mode Exit fullscreen mode


sql
SELECT Id, Name, ConsumerKey, CallbackURL, Status, OAuthScopes FROM ConnectedApp WHERE IsDeleted = FALSE


Reviewing these values will help you understand the permissions granted to each connected app.

### Step 3: Check for Unnecessary Accesses
Some apps might request broader access than necessary. For instance, an app might be requesting `api` and `refresh_token`, when only `api` is required.
Enter fullscreen mode Exit fullscreen mode


sql
SELECT Id, Name, ConsumerKey, OAuthScopes FROM ConnectedApp WHERE OAuthScopes LIKE '%refresh_token%'


This query will help you identify apps that request unnecessary scopes.

### Step 4: Review App Statuses
Ensure that all connected apps are in a stable and secure state. Apps marked as `Deleted` or `Disabled` should be investigated further to understand why they were removed or disabled.
Enter fullscreen mode Exit fullscreen mode


sql
SELECT Id, Name, ConsumerKey, CallbackURL, Status FROM ConnectedAppMetadata WHERE IsDeleted = TRUE OR Status = 'Disabled'


## Best Practices

1. **Limit OAuth Scopes**: Always request only the necessary OAuth scopes for each app.
2. **Regular Audits**: Conduct regular audits to ensure connected apps are up-to-date and secure.
3. **Enable Multi-Factor Authentication (MFA)**: Implement MFA for all connected apps that interact with sensitive data.
4. **Review App Callback URLs**: Ensure they are legitimate and not pointing to suspicious domains.

## Configuring Secure OAuth Settings

### Step 1: Enable OAuth2 Security Features
Navigate to **Setup > Security Management > OAuth2 Settings**. Here, you can configure various security features such as enabling MFA for connected apps.
Enter fullscreen mode Exit fullscreen mode


sql
// Example SOQL Query to check if MFA is enabled
SELECT Id, Name, IsMfaEnabled FROM ConnectedAppMetadata WHERE IsDeleted = FALSE


### Step 2: Review and Update Callback URLs
Ensure that all callback URLs are legitimate and point to known domains. If a domain has changed or is no longer in use, update the URL immediately.
Enter fullscreen mode Exit fullscreen mode


sql
// Example SOQL Query to list apps by their callback URLs
SELECT Id, Name, ConsumerKey, CallbackURL FROM ConnectedApp WHERE CallbackURL = 'http://example.com/callback'


### Step 3: Disable Unnecessary Apps
If you identify any connected apps that are no longer needed or pose a security risk, disable them immediately.
Enter fullscreen mode Exit fullscreen mode


sql
// Example SOQL Query to deactivate an app
UPDATE ConnectedAppMetadata SET Status = 'Disabled' WHERE Id = 'APP-12345'


## Conclusion

By following these steps and best practices, you can ensure that your Salesforce org is secure and compliant with relevant data protection regulations. Regular audits of connected apps and OAuth scopes are crucial in maintaining a robust security posture.

### Call to Action
Try the free scanner at [https://orgscanner.dev/?utm_source=devto&utm_medium=content&utm_campaign=content_poster](https://orgscanner.dev/?utm_source=devto&utm_medium=content&utm_campaign=content_poster) to help you automate and streamline your Salesforce security audits.

Stay secure, stay vigilant!
Enter fullscreen mode Exit fullscreen mode

This guide provides a comprehensive approach to auditing connected apps and OAuth scopes in Salesforce. By implementing these steps, you can enhance the security of your org and protect sensitive data from potential threats.

Top comments (0)