ConnectedAppPlugin Class

Customize the behavior of a connected app to support new authentication protocols or respond to user attributes in a way that benefits a business process.

Namespace

Auth

Usage

The class runs on behalf of the current user of the connected app. This user must have permission to use the connected app for the plugin to work.

Example

The following example gives the user permission to use the connected app if a specified quota is met, and returns the user’s permission set assignments.

global class ConnectedAppPluginExample extends Auth.ConnectedAppPlugin{
    
    //Authorize the app if the user has achieved quota tracked in a custom field
    global override boolean authorize(Id userId, Id connectedAppId, boolean isAdminApproved) {
		
		User u = [select id, HasAchievedQuota__c from User where id =: userId].get(0);
		return u.HasAchievedQuota__c;
        
    }
        
    //Call a flow during refresh
    global override void refresh(Id userId, Id connectedAppId) {
	
    	{
            Map<String, Object> inputVariables = new Map<String, Object>();
            inputVariables.put('userId', userId);
            inputVariables.put('connectedAppId', connectedAppId);
            Flow.Interview.MyCustomFlow interview = new Flow.Interview.MyCustomFlow(inputVariables);
            interview.start();  
        } catch ( Exception e ) {
               System.debug('FLOW Exception:' + e);
        }
        
    }
    
    //Return a user’s permission set assignments
    global override Map<String,String> customAttributes(Id userId, Map<String,String> formulaDefinedAttributes) {  
        
        List<PermissionSetAssignment> psas = [SELECT id, PermissionSet.Name FROM PermissionSetAssignment WHERE PermissionSet.IsOwnedByProfile = false AND (AssigneeId = :userId)];
        String permsets = '[';
        for (PermissionSetAssignment psa :psas){
            permsets += psa.PermissionSet.Name + ';';
        }
        permsets += ']';
        formulaDefinedAttributes.put('PermissionSets', permsets);
        return formulaDefinedAttributes;

    }
    
}

ConnectedAppPlugin Methods

The following are methods for ConnectedAppPlugin.

authorize(userId, connectedAppId, isAdminApproved)

Authorizes the specified user for the connected app.

Signature

public Boolean authorize(Id userId, Id connectedAppId, Boolean isAdminApproved)

Parameters

userId
Type: Id
The 15-character ID for the user to whom you want to give access to the connected app.
connectedAppId
Type: String
The 15-character ID for the connected app.
isAdminApproved
Type: Boolean
Indicates the approval state for the specified user to use the connected app.

Return Value

Type: Boolean

If the connected app requires admin approval, a returned value of true indicates that the current user is approved.

Usage

If the connected app is set for users to self-authorize, this call isn’t necessary.

customAttributes(userId, formulaDefinedAttributes)

Sets new attributes for the specified user. When the connected app gets the user’s attributes from the UserInfo endpoint or through a SAML assertion, use this method to update those attribute values.

Signature

public Map<String,String> customAttributes(Id userId, Map<String,String> formulaDefinedAttributes)

Parameters

userId
Type: Id
The 15-character ID for the user associated with the attributes.
formulaDefinedAttributes
Type: Map<String,String>
A map of the current set of attributes from the UserInfo endpoint (OAuth) or from a SAML assertion. For more information, see The UserInfo Endpoint in the online help.

Return Value

Type: Map<String,String>

A map of the updated set of attributes.

refresh(userId, connectedAppId)

Salesforce calls this method during a refresh token exchange.

Signature

public Void refresh(Id userId, Id connectedAppId)

Parameters

userId
Type: Id
The 15-character ID for the user getting the refresh token.
connectedAppId
Type: String
The 15-character ID for the connected app.

Return Value

Type: Void