oauth-redirect-and-domain-strategy

Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.

Best use case

oauth-redirect-and-domain-strategy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.

Teams using oauth-redirect-and-domain-strategy should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/oauth-redirect-and-domain-strategy/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/oauth-redirect-and-domain-strategy/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/oauth-redirect-and-domain-strategy/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How oauth-redirect-and-domain-strategy Compares

Feature / Agentoauth-redirect-and-domain-strategyStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OAuth Redirect And Domain Strategy

## The Moving Parts

- **My Domain** — every org has one. Login host is now
  `acme.my.salesforce.com` (prod) or `acme--sandbox.sandbox.my.salesforce.com`
  (sandbox). Classic `login.salesforce.com` and `test.salesforce.com`
  still work for initial auth but redirect to My Domain.
- **Enhanced Domains** — enforced on all orgs. URL format stabilises
  across orgs; old URL patterns may break.
- **Connected App Callback URLs** — whitelist of exact match redirect
  URIs. Mismatch at runtime = `redirect_uri_mismatch` error.
- **Login host** — what the client sends token requests to.
  `login.salesforce.com` works for prod; for sandboxes prefer the
  sandbox My Domain directly.

## Callback URL Design

- **Exact match, not prefix**. `https://app.example.com/callback` does
  NOT match `https://app.example.com/callback?x=1` automatically.
- Put the callback URLs for **every environment** the Connected App
  serves into the Connected App definition — prod callback AND uat AND
  dev. Missing one at cutover = downtime.
- Do not use wildcards — they are not supported.

## Per-Environment Pattern

| Environment | Login Host | Client Callback |
|---|---|---|
| Production | login.salesforce.com | https://app.example.com/callback |
| UAT | test.salesforce.com | https://uat.example.com/callback |
| Developer sandbox | test.salesforce.com | https://dev.example.com/callback |

Clients usually have a per-env config toggle for base URL + login host.

## My Domain Naming

- Short, lowercased, no dashes where avoidable.
- Keep it the same across refreshes — rename = client updates.
- For sandboxes: Salesforce appends `--<sandboxname>`. Clients should
  read the host from an env var, not hardcode.

## Enhanced Domains Cutover

- Old URL patterns (`c.na123.visual.force.com`, etc.) change.
- Inventory hardcoded URLs in:
  - Apex (string literals, metadata mention).
  - LWC/Aura (fetch targets).
  - External systems (webhook registrations, integrations).
  - Email templates (absolute links).
- Run the pre-cutover "known issues" scanner Salesforce provides.
- Rehearse in a sandbox first.

## Login Host Strategy

- **Prod clients:** either `login.salesforce.com` or the org's My Domain
  directly. My Domain is preferred (no redirect bounce).
- **Sandbox clients:** the sandbox My Domain directly.
  `test.salesforce.com` redirects and some OAuth libraries handle that
  redirect awkwardly.

## Recommended Workflow

1. Enumerate Connected Apps + environments.
2. Build the redirect URI matrix (exact URLs per env).
3. Audit hardcoded URLs across Apex, LWC, metadata, email templates,
   and external registrations.
4. Standardise My Domain name; avoid renames.
5. Point OAuth clients at the org's My Domain as the login host.
6. Rehearse Enhanced Domains cutover in a sandbox.
7. Monitor `redirect_uri_mismatch` rates post-change.

## Official Sources Used

- Connected App OAuth Configuration —
  https://help.salesforce.com/s/articleView?id=sf.connected_app_create_api_integration.htm
- My Domain Overview —
  https://help.salesforce.com/s/articleView?id=sf.domain_name_overview.htm
- Enhanced Domains —
  https://help.salesforce.com/s/articleView?id=sf.domain_name_enhanced_domains_overview.htm

Related Skills

shield-event-log-retention-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

oauth-token-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when work depends on how Salesforce OAuth access and refresh tokens are issued, refreshed, rotated, revoked, or introspected for a Connected App or API client—including unexpected logouts, invalid_grant after refresh, or designing token incident response. NOT for choosing which OAuth grant or Connected App flow to implement (use integration/oauth-flows-and-connected-apps), Named Credential packaging (use integration/named-credentials-setup), or broad Connected App IP and PKCE policy hardening without a token-lifecycle angle (use security/connected-app-security-policies).

mfa-enforcement-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Plan and operate Salesforce org-wide multi-factor authentication (MFA) enforcement: verification methods, phased rollout, SSO and API-only considerations, exemptions, and operational readiness. NOT for designing Login Flow post-authentication logic, IP allowlists, or conditional step-up policies—use ip-range-and-login-flow-strategy, network-security-and-trusted-ips, or transaction-security-policies instead.

ip-range-and-login-flow-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design and implement Salesforce Login Flows (Screen Flows assigned to profiles or Experience Cloud sites) that run post-authentication to enforce conditional MFA, IP-based branching, terms-of-service acceptance, or user data collection. Covers Login Flow creation in Flow Builder, profile/site assignment, IP-aware decision logic, and ConnectedAppPlugin extension points. NOT for static IP allowlisting or profile Login IP Ranges (see network-security-and-trusted-ips), org-wide session policies, or SSO/SAML IdP configuration.

oauth-flows-and-connected-apps

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when choosing or reviewing Salesforce OAuth flows and connected-app policy for integrations, including client credentials, JWT bearer, authorization code, device flow, scopes, and token lifecycle controls. Triggers: 'OAuth flow', 'connected app', 'client credentials', 'JWT bearer', 'refresh token', 'integration user'. NOT for record-level sharing design or for simple Named Credential usage when the auth-flow decision is already settled.

data-cloud-integration-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when designing or troubleshooting the data pipeline strategy for connecting source systems to Data Cloud — including ingestion API pattern selection (streaming vs. batch), connector type decisions, DSO-to-DLO-to-DMO pipeline lag, and lakehouse federation patterns. Triggers on: Data Cloud ingestion API setup, streaming vs batch connector decision, Data Cloud connector types, MuleSoft Direct for Data Cloud, data pipeline lag for segmentation. NOT for standard Salesforce integration patterns (use integration-patterns skill), not for querying Data Cloud once data is ingested (use data-cloud-query-api), not for configuring standard admin connectors through the UI only.

api-versioning-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design versioning for custom Apex REST endpoints: URI versioning, backward compatibility, deprecation sunset. NOT for consuming external APIs.

flow-versioning-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Manage Flow versions: activation policy, paused interview compatibility, cleanup cadence, and breaking-change detection. Trigger keywords: flow version management, activate flow version, paused interview, flow cleanup, flow breaking change, flow rollback. Does NOT cover: FlowDefinition metadata deploy order (see devops skill), Process Builder retirement, or Flow test coverage (separate skill).

rollback-and-hotfix-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Planning and executing metadata rollbacks and emergency hotfixes in Salesforce orgs. Use when a production deployment causes regression and needs to be reverted, or when an urgent fix must bypass the normal release pipeline. Covers pre-deploy archive bundles, quick deploy for hotfixes, non-rollbackable component handling, and hotfix branch isolation. NOT for routine CI/CD pipeline setup (use continuous-integration-testing). NOT for destructive changes authoring (use destructive-changes-deployment).

package-development-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when deciding between Salesforce package development approaches — unmanaged, unlocked, 1GP managed, or 2GP managed — including namespace selection, ISV distribution requirements, upgrade path design, and AppExchange packaging strategy. Trigger keywords: should I use managed or unlocked package, Salesforce package type selection, 2GP vs 1GP managed package, namespace decision Salesforce, ISV AppExchange packaging, unlocked package strategy. NOT for individual package creation steps, scratch org setup, or day-to-day package version build commands.

environment-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing the full environment topology for a Salesforce program — selecting which org types to provision, how many, and how they map to your branching strategy and release pipeline. Trigger keywords: 'environment strategy', 'org topology', 'scratch org vs sandbox', 'how many environments do I need', 'environment planning', 'DevOps environment design'. NOT for sandbox-type-only decisions (use admin/sandbox-strategy), NOT for scratch org lifecycle or daily usage (use devops/scratch-org-management), NOT for release pipeline mechanics (use devops/release-management).

external-id-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when designing, selecting, or troubleshooting external ID fields on Salesforce objects for upsert operations, cross-system record correlation, or idempotent data loads. Trigger keywords: external ID field design, upsert key strategy, cross-system record matching, source system ID mapping, composite key for uniqueness, duplicate insert on upsert, relationship resolution by external ID. NOT for data migration steps (use data-migration-planning), NOT for REST API upsert endpoint wiring (use rest-api-patterns), NOT for general data model field decisions (use data-model-design-patterns).