Authentication Flow Patterns
Overview
Authentication flow choices determine the security posture and operability of your integration landscape.
This guide focuses on practical flow selection and controls rather than protocol theory.
Consensus Best Practices
- Prefer OAuth-based flows over static token patterns.
- Use dedicated integration principals, not human user credentials.
- Grant minimum scopes and object permissions required.
- Standardize token lifecycle controls (rotation/revocation/expiry handling).
- Document chosen flow per integration and justify exceptions.
Flow Selection Matrix
Client Credentials
Use when machine-to-machine access is required and no user context is needed.
Typical uses:
- middleware to Salesforce API,
- Salesforce callouts to external platform APIs.
JWT Bearer / Certificate-Based Server Auth
Use when stronger key-management posture is required and centralized key rotation is available.
User-Delegated OAuth (Auth Code)
Use when an end user must explicitly authorize third-party access and user-level permissions must be respected.
Salesforce -> External System
Recommended pattern:
- Named Credential with OAuth config,
- least-privilege service account on external platform,
- callout services with explicit timeout and retry policy.
External System -> Salesforce
Recommended pattern:
- Connected App with explicit scopes,
- integration user with minimal permission sets,
- IP/session controls where required by policy.
Operational Controls
- Rotate client secrets and certificates on schedule.
- Alert on repeated auth failures and unusual token usage.
- Keep runbook for emergency revoke and credential rollback.
- Revalidate auth flow assumptions during seasonal platform updates.
Common Failure Modes
- Using admin users for integrations.
- Over-broad scopes and profiles.
- Shared credentials across unrelated systems.
- No ownership model for connected app governance.