<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Update Salesforce Provisioning Applications to Support PKCE
May 29, 2026
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

Okta strives to deliver the most secure integrations for our customers. To this end, Okta is introducing a stronger, more resilient way to manage Salesforce lifecycle provisioning by natively supporting the Proof Key for Code Exchange (PKCE) extension. This change aligns with Salesforce’s platform-wide mandate requiring all Independent Software Vendor (ISV) applications to enable PKCE for connected apps, effectively eliminating the risk of Authorization Code Interception attacks.

 

This article applies only to customers who use the Okta Salesforce integration for User Provisioning via the REST API (OAuth). If you only use Okta for Salesforce Single Sign-On (SAML) and do not use Okta to provision or update user profiles, no action is required.

Applies To
  • Okta Salesforce integration for User Provisioning via the REST API (OAuth)
Solution

Please note that additional work is needed, and Okta has NOT YET updated the Salesforce integration connector to fully support the PKCE handshake. Customers do not need to start migrating their existing Salesforce provisioning applications until this update is complete. We will update this article at a later date when this is available.

Recommended content

Still looking for help?
Loading
Update Salesforce Provisioning Applications to Support PKCE