Simplify web session management for hybrid apps with the new OAuth 2.0 hybrid app flows. Other OAuth flow updates include an option to require client secrets during refresh token flows and an increased size limit for access and refresh tokens. Get more guidance and login metrics from the Multi-Factor Authentication Assistant. You can now monitor how your third-party identity providers authenticate users logging into your Salesforce org through OpenID Connect on the Login History page. And we renamed Identity Confirmation to Device Activation.
- Enable Hybrid Apps to Directly Manage Web Sessions
Use the OAuth 2.0 hybrid app flows to avoid the complexity of managing web sessions for hybrid apps. With a typical user-agent or refresh token flow, a hybrid app sets requested domain cookies and bridges an access token into a web session. But the access token and web session aren’t connected in these flows. Instead you must track when the access and refresh tokens expire and when the web session expires, and then manually rebridge the session to avoid interrupted service. The OAuth 2.0 hybrid app flows connect the access and refresh tokens with the web session to give hybrid apps direct web session management. - Require the Client Secret during the Refresh Token Flow
You can configure connected apps to require client secrets during the OAuth 2.0 refresh token and hybrid refresh token flows. For web-server based apps that can protect client secrets, you can configure the connected app to require client secrets. But for apps that can’t protect client secrets, such as mobile apps or apps installed on a user’s computer, you can omit the client secret during the refresh token flow. If you don’t require a client secret during the refresh token flow and a connected app sends the client secret in the authorization request, Salesforce still validates it. - Reduce Hybrid Mobile App Session Interruptions with a New Frontdoor.jsp Parameter
To streamline how your org uses frontdoor.jsp to authorize hybrid app user sessions, use the directBridge2 parameter with the new OAuth 2.0 hybrid app token flows. After a user authenticates and starts a new session, the directBridge2 parameter directly passes the access token to the session ID cookie of the requested domain. This flow prevents interruptions when the refresh token flow is triggered because the hybrid app uses the same access token for both API calls and UI requests. - Get More Guidance from the Multi-Factor Authentication Assistant
To help with your multi-factor authentication (MFA) implementation, the Multi-Factor Authentication Assistant now provides access to an MFA Accelerator webinar and to login metrics in the Lightning Usage App. The Accelerator webinar replaces the User Authentication Trailhead module that was previously available in the Assistant. - Monitor Login Metrics for Your Org’s Identity Services
User login security is a cornerstone of protecting your data, and login metrics give you insight into user login activity. The new Login Metrics tab in the Lightning Usage App provides data for your org’s identity services, including multi-factor authentication (MFA) and single sign-on. If you’re implementing MFA, you can use login metrics to monitor MFA adoption. We also added MFA as a feature in the Salesforce Optimizer App to help you track the users who are (or aren’t) logging in with MFA. - Monitor How Your Identity Providers Authenticate Your Users with Authentication Method Reference
Get a better understanding of how your third-party identity provider (IdP) authenticates users logging into Salesforce through OpenID Connect (OIDC). Check the Authentication Method Reference column of your Salesforce org’s Login History to see which authentication methods are used. - Easily Integrate Larger Access and Refresh Tokens for OpenID Connect
The limit for access and refresh tokens is increased to 10,000 characters, which means you can now choose from more third-party identity providers to configure for Salesforce. Previously, the limit was 2,000 characters for each access token and 1,024 characters for each refresh token. - Identity Confirmation Is Now Device Activation
When your users log in from an unrecognized browser or application (device), the identity verification type required from them is now called device activation. Previously, we sometimes called it identity confirmation. Device activation more accurately reflects what happens and is the industry standard term. - Manage Access to Login Flows with Profile Filtering
To increase security, your users are now restricted from configuring login flows when you turn on Profile Filtering. With Profile Filtering enabled, your users need the View All Profiles permission to configure login flows.