Article
Is the Salesforce Job Market Bouncing Back?
What’s trending
UPCOMING EVENTS
External Client vs. Connected Apps: Comparing Salesforce’s Next-Gen Integration
October 14, 2024
The next generation of Connected Apps has arrived in the form of External Client Apps! These apps are designed to offer features that Connected Apps were lacking and bring enhanced security.
In this article, we will dive into the features and define the differences between Connected Apps and External Client Apps.
What Is a Connected App?
A Connected App is a way for something outside of your Salesforce org to connect to Salesforce. This can be for a variety of different reasons, such as using Data Loader, to insert, update, delete, or export records.
The Salesforce Mobile App uses a Connected App to log in to the system and you can configure custom Connected Apps for your own integrations too.
What Is an External Client App?
An External Client App is another way for an external system to connect to Salesforce.
They are designed to deliver in areas where Connected Apps couldn’t, such as being friendly with the latest generation of Salesforce Packaging (2GP) and not being available by default (unlike Connected Apps).
Packaging
Packaging relates to releasing your solution as a package others can install. Salesforce initially implemented First Generation Packaging (1GP) with the next evolution being Second Generation Packaging (2GP). Perhaps unsurprisingly, External Client Apps only work with 2GP, whereas Connected Apps work with both generations. It’s worth noting that Connected Apps require manual steps when using 2GP.
External Client Apps can be either Local or Packaged. You can only release Packaged External Client Apps as Managed Packages whilst Local versions are only designed for use in your org. There isn’t a direct alternative for Connected Apps.
Management
One of the selling points of External Client Apps is “distinct admin and developer roles”. With External Client Apps, Developers manage settings whereas admins manage policies. This is important in a packaging context where you want control of the Settings Files. With Connected Apps, everything is in the same file.
Both External Client Apps and Connected Apps can be managed from Salesforce Setup. While both also support management with the Metadata API, Connected Apps are restricted in this area.
External Apps are unique whereby they can be associated or disassociated with the source org global settings. This stores keys, secrets, and more related to OAuth Settings. Connected Apps don’t have a direct equivalent for this.
With Connected Apps you get the ability to expose via a Canvas App and send Notifications, these features are not currently options for External Client Apps. When you clone a Sandbox, Connected Apps are copied. External Client Apps are only copied if they are packaged.
Authentication
When it comes to authentication, Connected Apps support more OAuth Flows than External Client Apps. A summary of the differences is detailed below:
| Connected App | External Client App | |
|---|---|---|
| Headless Identity Flows | ✅ | ✅ |
| OAuth 2.0 Web Server Flow | ✅ | ✅ |
| OAuth 2.0 User-Agent Flow | ✅ | ✅ |
| OAuth 2.0 Refresh Token Flow | ✅ | ✅ |
| OAuth 2.0 Token Exchange Flow | ✅ | ✅ |
| OAuth 2.0 JWT Bearer Flow | ✅ | ✅ |
| OAuth 2.0 Client Credentials Flow | ✅ | ✅ |
| OAuth 2.0 Device Flow | ✅ | ✅ |
| OAuth 2.0 Asset Token Flow | ✅ | ✅ |
| OAuth 2.0 Username-Password Flow for Special Scenarios ⚠️^ | ✅ | |
| OAuth 2.0 SAML Bearer Assertion Flow | ✅ |
^ This flow is not recommended as it passes credentials.
Connected Apps support both SAML and OpenID Connect, whereas External Client Apps do not. This can be used to sign into another system with your Salesforce Credentials. If you want to pass additional user information such as Job Title you can use Custom Attributes in both Connected Apps and External Client Apps.
With Connected Apps and External Client Apps you can generate updated Consumer Keys and Secrets should these become compromised or you want to periodically update as a security best practice.
Security
When it comes to communicating with External Systems it’s important that this is handled in a secure way that is compliant.
Both External Client Apps and Connected Apps support Trusted IP Addresses with the OAuth Web Server Flow. Policy and Setting updates are tracked in the Setup Audit Trail. They provide the ability to set IP Address Restrictions, Refresh Token Validity, Session Timeout, and the option to enforce 2FA if required.
Connected Apps support “API Access Control” to only allow access to an approved list. You can also monitor connections, revoke a session, and install or uninstall Connected Apps. API Access Control is not needed for External Client Apps as they use a closed security posture by default.
A Start URL controls where a User is directed when they use a Connected App or External Client Apps.
With Connected Apps, you can secure mobile apps with a PIN and enable user provisioning. These features are not available with External Client Apps. Should you want control over how a Connected App is launched then using Apex you can write a Custom Handler for this purpose, with External Client Apps this isn’t an option.
Using both External Client Apps and Connected Apps, you can restrict access to specific profiles or permission sets. External Client Apps had profile support added to avoid issues when migrating from Connected Apps. Remember, it’s been best practice to use a permission set centric model for security and access for some time now.
Summary
With each release, Salesforce bridges the gap between Connected Apps and External Apps a little further and has also introduced the ability to migrate a Connected App to an External Client App.
I’m excited to see what the future of External Client Apps has to offer and think in the very near future we will have feature parity between the different options.
Resources
- Connected Apps (Salesforce Help)
- External Client Apps (Salesforce Help)
- Comparison of Connected Apps and External Client Apps Features (Salesforce Help)