<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2732602&amp;fmt=gif">
Schedule a Demo

Filter Knowledge Base by:

Admins | Avoiding OAuth Issues with Salesforce Connected Apps

Overview

Salesforce has recently tightened security around Connected Apps. This means users will no longer be able to self-authorize an app that is not installed on the org. 

  • Existing connections → No impact (your current integrations will continue working).
  • New app connections → Admin must pre-authorize the Connected App before users can authenticate.

If the app is not pre-authorized, users will see a generic login failure like this:

Install connected app Salesforce 2025-09-10 at 4.08.39 PM

However, the URL will include an error message like:

?error=invalid_client&error_description=app+must+be+installed+into+org&display=touch

To proceed with the steps below, users will need the new Approve Uninstalled Connected Apps permission - it is automatically assigned to the System Administrator standard profile, but Custom profiles aren’t automatically updated.

Steps for Salesforce Admins to Pre-Authorize Connected Apps

1. Go to Setup
  • From Salesforce, click the gear icon (⚙️) → Setup.
2. Search for “Connected Apps”
  • In Quick Find, type Connected Apps and select Connected Apps OAuth Usage.
    • If you see the App in question, and it is installed, your user could still be blocked. Click its Manage App Policies link to review the Policy.
      • Under Permitted Users, if Admin approved users are pre-authorized is selected, you can proceed to Step 3 to grant access through permissions.
    • If you see the App in question, and it is NOT installed, you can review the User Count by clicking the number to see who has authorized already. You can then select the Install button to install it. 
      • A new tab will open what asks Install connected app? - click the Install button.
      • This will take you to the policy you’ve now created. The Default value for Permitted Users is All Users may self-authorize - if you want to keep that, your user will now be able to authorize.
      • If you want to require users to be pre-authorized, you can use the Edit Policies button to adjust and you will see a warning that all existing authorizations will be revoked. Then proceed to Step 3 to grant access through permissions.
    • If you do not see the App in question, a user with the Use Any API Client permission must first attempt to Authenticate to get the App on the Oauth Usage list. Then you can revert to the step above to install the App.
3. Manage Profiles or Permission Sets
  • If leveraging the Admin approved users are pre-authorized setting, you will need to grant permissions for the App. Either manage profiles for the app by editing each profile’s Connected App Access list, or manage permission sets for the app by editing each permission set’s Assigned Connected App list.
  • This explicitly grants OAuth access to the Connected App.

Key Takeaways

  • Salesforce now enforces admin pre-authorization for all new Connected Apps.
  • Existing connections to Uninstalled Apps will continue to work. New Connections to Uninstalled Apps will fail the same as attempts for New Connected Apps.
  • Admins must proactively configure OAuth permissions for new apps before users can log in.

Relevant Articles

Admins | How do I customize Sidebar field layouts? How do I change the fields that are required to file email? Meeting AI Salesforce Integration IT Admins | How do I add Cirrus Insight to trusted/allowed lists? Admins | How do I adjust Sidebar settings for my org? Release Notes - Prod-20190404
Conversion Pixel Image