[Spike] Consumer Details Rotation Mgmt on Managed Connected App

Summary

As an ISV, It’s important to prioritize security best practices, even though connected app is only used for canvas UI integration. Rotating consumer key and secret is essential to minimize the impact of potential access breaches. However, you should be more careful in managing the rotation process to ensure all subscribers are compatible with the changes.

For group subscribers who aren’t included in auto-upgrade lists, you can consider using a communication plan to notify them about updates and the consequences if they couldn’t update the app. Also, you can provide them guidance about how to update the consumer details or suggest discussing it with their Salesforce administrator.

Q&A

Q1. Is it the best practice to periodically rotate the consumer key & consumer secret in salesforce connected app?

It is generally recommended to rotate the consumer key & consumer secret periodically for Salesforce connected apps as a security best practice. This can help prevent unauthorized access to your Salesforce org in case of a compromised connected app.
However, it’s important to note that when you rotate the consumer secret for a connected app, all integrations that use this app will be impacted and need to be updated with the new secret. It’s also important to follow any relevant documentation or best practices provided by the connected app’s vendor.

Q2. If ISV rotates the consumer details in managed connected app, shall we upgrade the package and force subscriber to update the managed package?

Yes, if an ISV rotates the consumer key/secret for a Connected App that is part of a Managed Package, then they need to release a new version of the Managed Package with the updated credentials. The subscribers can then upgrade the package to the latest version which will have the latest credentials related to the Connected App.

Q3. But for the subscribers who are not in auto-upgrade user list, what impact will they have?

If the subscriber does not automatically receive upgrades, they will need to manually upgrade their managed packages to get the new version. If the changes made by the ISV require a refreshed access token, the subscriber will need to regenerate an access token before the new Consumer Key and Consumer Secret can be used.

Explore in SF

Subscriber’s Perspective - Managed Connected App Mode

Managed Connected App is installed in my SF org, we only have Manage permission.

Click the Manage action, we can go to the detail page, only can edit policies, view the OAuth Usage and uninstall the managed connected app.

For policy edition, we can only edit the following info.

For OAuth Usage, we can check the following info.

Summary: In this mode, subscriber cannot check & reveal the consumer key & secret, because the credentials are totally managed by vendor.

Vendor’s Perspective - Built-in Managed Package Mode

Highlighted managed package is built-in by myself, we can totally manage, view & edit the app.

Click the View action, we can go to the configuration page, and manage consumer details.

Check consumer details, we can generate staged consumer key & secret, and apply the staged version to integration usage.

Click Generate button, staged version (new value) has been initialed.

Then click Apply button, we will see the following tips.

After the new details are applied, only the new consumer details are valid.

Summary: in this mode, we can rotate the consumer details. But all access and refresh tokens associated with the connected app are revoked, you have to update the new consumer details in your integration.

Learn from Identity & Access Architect Certification for Winter ’23