Tekunda Team
Salesforce Authentication Your Complete Migration Guide
Navigating Salesforce Authentication Evolution, Your Complete Migration Guide
In September 2025, Salesforce is implementing major changes to Connected App security that will impact how your applications authenticate. Two big shifts are happening:
The OAuth 2.0 Device Flow will be blocked.
Uninstalled Connected Apps will no longer be accessible to most users.
This blog explains the migration away from the Device Login flow toward Connected App OAuth2 Flow with PKCE, why this change matters, and how to prepare with confidence.
Why Salesforce Is Blocking Device Flow
The Device Flow (RFC8628) has a known vulnerability: it can be initiated with just a client_id. A malicious actor could exploit this in social engineering attacks, tricking users into approving untrusted apps.
Real-World Impact: Recent high-profile breaches at companies including KLM Airfrance, Adidas, Google, Qantas, and Allianz Life were executed by threat groups like UNC6040/ShinyHunters using exactly this attack vector. These attackers used social engineering (phone calls impersonating IT staff) to trick employees into authorizing malicious Connected Apps via Device Flow.
Salesforce has confirmed this vulnerability has been exploited in production environments, making the deprecation a security necessity rather than just a technical upgrade.
Moving to Connected App OAuth2 Flow with PKCE
The secure replacement is PKCE (Proof Key for Code Exchange), an enhancement to the Authorization Code Flow that prevents interception of the authorization code.
Step 1: Generate PKCE Parameters
Create a code_verifier (random, cryptographically secure string, 43-128 characters).
Hash it with SHA256 and base64url-encode it → code_challenge.
Important: Use base64url encoding (not standard base64). This replaces + with -, / with _, and removes padding = characters for URL safety.
Step 2: Build Authorization URL
Ensure you include the critical parameter that's essential for PKCE implementation:
code_challenge_method=S256
Example:
https://login.salesforce.com/services/oauth2/authorize? client_id=YOUR_CLIENT_ID& response_type=code& redirect_uri=YOUR_CALLBACK_URL& scope=full refresh_token& code_challenge_method=S256& code_challenge=YOUR_CODE_CHALLENGE& state=YOUR_RANDOM_STATE
Step 3: Exchange Authorization Code for Tokens
Send the code and code_verifier back to Salesforce:
POST /services/oauth2/token grant_type=authorization_code client_id=YOUR_CLIENT_ID code=AUTH_CODE code_verifier=ORIGINAL_CODE_VERIFIER redirect_uri=CALLBACK_URL
Step 4: Update Permissions
Salesforce is adding new permissions with specific rules based on your org's configuration:
If API Access Control is DISABLED (most orgs):
Users can access uninstalled apps with either permission:
- Approve Uninstalled Connected Apps (new in Summer '25) - recommended for most cases
- Use Any API Client - broader permission, use sparingly
If API Access Control is ENABLED:
Only the Use Any API Client permission will work for accessing uninstalled apps.
Data Loader Specific Changes
Critical Deadline: September 2, 2025 - OAuth Device Flow support ends in Data Loader.
Required Actions:
- Switch authentication methods before September 2:
- Password authentication (username + password + security token)
- OAuth Web Server Flow (recommended)
- Update Data Loader - Salesforce will release a new version before September 2 with Device Flow support completely removed
- Note: Command line usage with encrypted passwords is unaffected
Common Migration Challenges
PKCE errors ("invalid code verifier"): Usually caused by missing code_challenge_method=S256 parameter or incorrect base64url encoding.
Blocked user access post-September: Fixed by assigning the appropriate permission based on your API Access Control status.
Data Loader login failures: Migrate authentication method before September 2, 2025.
Improper Connected App configuration: When installing apps, set "Permitted Users" to "Admin approved users are pre-authorized" for better security control.
Timeline and Action Plan
Immediate Actions (Before Sept 2, 2025)
Audit Connected Apps:
- Navigate to Setup → Connected Apps OAuth Usage
- Look for "Install" buttons in the Actions column (indicates uninstalled apps)
Identify Device Flow usage:
- Focus on Data Loader users
- Check any custom applications using Device Flow
Plan PKCE implementation:
- Review current OAuth flows
- Prepare development resources for PKCE migration
Migration Phase (Aug–Sep 2025)
Implement PKCE-enabled OAuth flow:
- Ensure proper base64url encoding
- Include
code_challenge_method=S256parameter - Test authorization and token exchange flows
Test in Salesforce sandbox:
- Validate PKCE implementation
- Test user permission assignments
- Verify Data Loader alternatives
Configure Connected Apps properly:
- Install trusted uninstalled apps using the "Install" button
- Set "Permitted Users" to "Admin approved users are pre-authorized"
- Assign access via Permission Sets following principle of least privilege
Prepare for Data Loader migration:
- Train users on new authentication methods
- Update documentation and procedures
- Test password authentication or Web Server Flow
Post-Migration (After Sept 2025)
Monitor authentication logs:
- Watch for failed authentication attempts
- Track Connected App usage patterns
- Monitor for security incidents
Provide user support:
- Address access issues promptly
- Help users with new authentication methods
- Document common troubleshooting steps
Review security policies quarterly:
- Audit Connected App permissions regularly
- Review user access to sensitive integrations
- Consider enabling API Access Control for enhanced security
Enhanced Security Recommendations
Optional but Recommended: Enable API Access Control
Contact Salesforce Support to enable this feature, which provides:
- Allowlist-based Connected App access
- Granular control over which apps users can access
- Proactive blocking of unauthorized applications
User Education is Critical
- Train users to recognize social engineering attempts
- Establish clear procedures for requesting Connected App access
- Regularly communicate security best practices
- Remind users never to approve unfamiliar applications
Governance Framework
- Define clear ownership for each Connected App
- Establish approval processes for new integrations
- Implement regular access reviews
- Engage security teams in Connected App policies
Important Exception to Note
Existing Authorizations: Users who previously authorized Connected Apps can continue using them after September 2025, EXCEPT if those apps were authorized using Device Flow. All Device Flow authorizations will be immediately blocked regardless of previous usage.
Conclusion
Salesforce's deprecation of the Device Flow isn't just a technical upgrade—it's a critical security response to real-world attacks that have compromised major organizations. The recent breaches at high-profile companies demonstrate the urgent need for these security enhancements.
By migrating to Connected App OAuth2 Flow with PKCE and properly configuring permissions, organizations can:
- Protect against authorization code interception attacks
- Maintain compliance with Salesforce's evolving security requirements
- Reduce the attack surface available to social engineering campaigns
- Ensure business continuity for critical integrations
Key Success Factors:
- Start migration immediately - don't wait until September
- Test thoroughly in sandbox environments
- Focus on user education and governance
- Consider additional security layers like API Access Control
Preparing early, testing thoroughly, and implementing proper governance will minimize disruption while significantly strengthening your organization's security posture.