As part of Summer 24 improvements, External Clients App, the “Connected App v2”, now has a frontend to create them and support more oAuth flows. They were designed to improve security and resolve the cumbersome packaging and distribution issues that affect connected apps. In Salesforce’s own words, External Client Apps are the new generation of connected apps. They allow for a better security model along with their ability to be packageable second-generation (2GP). External client apps provide single sign-on (SSO) and use OAuth protocols to authorize third-party apps. There is better separation between user roles such as developer and admins, and better configuration management between developers and subscribers of the app. Summer 24 release brings headless login, passwordless login, and guest user flows using the Authorization Code and Credentials Flow. You can also configure an external client app to issue JSON Web Token (JWT)-based access tokens. As you can see, external client apps framework, a new and improved generation of connected apps, is catching up to connected apps fast.
As of June 2024, here are the key differences between Connected Apps and External Client Apps:
| Feature | Connected Apps | External Client Apps |
|---|---|---|
| 2GP Packaging | Restricted (1) | Available |
| 1GP Packaging | Available | Not available |
| Distribution state management | Not available | Available |
| Distinct developer and admin user roles | Not available | Available |
| Subscriber association and disassociation | Not available | Available |
| Salesforce Setup UI | Available | Available |
| Metadata API | Restricted (2) | Available |
| OAuth 2.0 | Available | Restricted (3) |
| SAML | Available | Not available |
| OpenID Connect | Available | Available |
| OAuth consumer key and consumer secret rotation | Available | Restricted (4) |
| API for OAuth consumer key and consumer secret rotation | Not available | Available |
| Trusted IP Range for OAuth Web Server Flow | Available | Available |
| Sandbox copy | Available | Available (5) |
| API access control | Available | Not needed (6) |
| Custom attribute creation | Available | Available |
| Audit support | Available | Available |
| Logging support | Available | Available |
| Start URL management | Available | Not available |
| OAuth access policy management | Available | Available |
| IP relaxation | Available | Available |
| Session policy management | Available | Available |
| Mobile policy management | Available | Not available |
| Custom handler management | Available | Not available |
| User provisioning | Available | Not available |
| OAuth usage management | Available | Restricted (7) |
| Profile management | Available | Not available |
| Permission set management | Available | Available |
| Data access management (OAuth) | Available | Not available |
| Canvas | Available | Not available |
| Notifications | Available | Not available |
In order to enable External Client App capability, go to:
Setup->Apps->External Client Apps->Settings:
Once you do that, you can refresh the screen and should be able to see another option called “External Client App Manager” which is also shown in the screen shot above. Click “External Client App Manager” and select the button that says “New External Client App”.
If you open the API tree, you will see some similar settings to what you see in connected apps. Note the “Distribution State” drop dropdown above. External client apps can be local or packageable. Local apps are developed and used in a single Salesforce org. Packageable apps are packaged with second-generation (2GP) managed packaging and distributed to subscriber orgs. Local external client apps aren’t copied to a new sandbox when you clone or refresh a sandbox. Only packaged external client apps are copied to the sandbox.
Upon creation of your External Client App, you would be taken to the following screen with a much better UI in my personal opinion. There are three tabs that clearly let you see a breakdown of the app in fewer clicks.
For the most part the setup and administration of these should be similar to the existing connected apps functionality. To see oAuth usage, you will need to call a REST end point as opposed to it being available on the UI for connected apps. Please see: External Client App OAuth Usage (salesforce.com). My recommendation would be to take a look at External Client Apps if you are keen on improving security and your org is heavily invested in unlocked or second-generation (2GP) packaging. New capabilities are coming to External Client Apps however at present there not a parity between the two for example, there are a few features available for connected apps that aren’t ready for external client apps. The external client app OAuth features that are still in development include dynamic client registration. So, pick an option that makes sense based on the feature set and your needs. Hoping this has been useful in your understanding of External Client Apps.