
Andrew Hanna

Tekunda Team

In September 2025, Salesforce is implementing major changes to Connected App security that will impact how your applications authenticate. Two big shifts are happening:
The OAuth 2.0 Device Flow will be blocked.
Uninstalled Connected Apps will no longer be accessible to most users.
This blog explains the migration away from the Device Login flow toward Connected App OAuth2 Flow with PKCE, why this change matters, and how to prepare with confidence.
The Device Flow (RFC8628) has a known vulnerability: it can be initiated with just a client_id. A malicious actor could exploit this in social engineering attacks, tricking users into approving untrusted apps.
Real-World Impact: Recent high-profile breaches at companies including KLM Airfrance, Adidas, Google, Qantas, and Allianz Life were executed by threat groups like UNC6040/ShinyHunters using exactly this attack vector. These attackers used social engineering (phone calls impersonating IT staff) to trick employees into authorizing malicious Connected Apps via Device Flow.
Salesforce has confirmed this vulnerability has been exploited in production environments, making the deprecation a security necessity rather than just a technical upgrade.
The secure replacement is PKCE (Proof Key for Code Exchange), an enhancement to the Authorization Code Flow that prevents interception of the authorization code.
Create a code_verifier (random, cryptographically secure string, 43-128 characters).
Hash it with SHA256 and base64url-encode it → code_challenge.
Important: Use base64url encoding (not standard base64). This
replaces + with -, / with _, and
removes padding = characters for URL safety.
Ensure you include the critical parameter that's essential for PKCE implementation:
code_challenge_method=S256
Example:
https://login.salesforce.com/services/oauth2/authorize? client_id=YOUR_CLIENT_ID& response_type=code& redirect_uri=YOUR_CALLBACK_URL& scope=full refresh_token& code_challenge_method=S256& code_challenge=YOUR_CODE_CHALLENGE& state=YOUR_RANDOM_STATE
Send the code and code_verifier back to Salesforce:
POST /services/oauth2/token grant_type=authorization_code client_id=YOUR_CLIENT_ID code=AUTH_CODE code_verifier=ORIGINAL_CODE_VERIFIER redirect_uri=CALLBACK_URL
Salesforce is adding new permissions with specific rules based on your org's configuration:
Users can access uninstalled apps with either permission:
Only the Use Any API Client permission will work for accessing uninstalled apps.
Critical Deadline: September 2, 2025 - OAuth Device Flow support ends in Data Loader.
PKCE errors ("invalid code verifier"): Usually caused by missing
code_challenge_method=S256 parameter or incorrect base64url encoding.
Blocked user access post-September: Fixed by assigning the appropriate permission based on your API Access Control status.
Data Loader login failures: Migrate authentication method before September 2, 2025.
Improper Connected App configuration: When installing apps, set "Permitted Users" to "Admin approved users are pre-authorized" for better security control.
Audit Connected Apps:
Identify Device Flow usage:
Plan PKCE implementation:
Implement PKCE-enabled OAuth flow:
code_challenge_method=S256 parameterTest in Salesforce sandbox:
Configure Connected Apps properly:
Prepare for Data Loader migration:
Monitor authentication logs:
Provide user support:
Review security policies quarterly:
Contact Salesforce Support to enable this feature, which provides:
Existing Authorizations: Users who previously authorized Connected Apps can continue using them after September 2025, EXCEPT if those apps were authorized using Device Flow. All Device Flow authorizations will be immediately blocked regardless of previous usage.
Salesforce's deprecation of the Device Flow isn't just a technical upgrade—it's a critical security response to real-world attacks that have compromised major organizations. The recent breaches at high-profile companies demonstrate the urgent need for these security enhancements.
By migrating to Connected App OAuth2 Flow with PKCE and properly configuring permissions, organizations can:
Key Success Factors:
Preparing early, testing thoroughly, and implementing proper governance will minimize disruption while significantly strengthening your organization's security posture.
Commitment free!