Salesforce OAuth Breaking with “app must be installed into org”

Telegram logo Join our Telegram Channel

If your Salesforce OAuth flow suddenly stopped working, you’ll probably see one of these two errors:

URL Error

This appears in the browser address bar during OAuth redirect: 

error=invalid_client&error_description=app+must+be+installed+into+org

This is the real clue. Salesforce is blocking authorization because the Connected App isn’t installed or approved.

Screen Error

Connected App No Installed Error in Salesforce


On the UI, Salesforce shows a generic version of the same failure:

OAuth Error
We can't authorize you because of an OAuth error. For more information, contact your Salesforce administrator.

OAUTH_APPROVAL_ERROR_GENERIC: An unexpected error has occurred during authentication. Please try again.

This message is useless, but the URL tells the truth.

What changed

Salesforce is enforcing stricter control over Connected Apps.

If a Connected App is not installed in the org, Salesforce blocks users from authorizing it unless they have a specific permission.

The platform now checks:

  1. Is the Connected App installed in this org?

  2. If not, does the user have Approve Uninstalled Connected Apps?

If both answers are “no”, OAuth stops with the invalid_client error.

This enforcement has already started landing in orgs.

Why this affects integrations

A lot of integrations rely on a Connected App defined in a “source org” or packaging org.

When a customer tries to authorize it, Salesforce treats it as uninstalled. Before these changes, the user could still approve it. Now they can’t.

How to fix it

Two options:

1. Install the Connected App

Important detail:

The app only appears in “Connected Apps OAuth Usage” after someone tries to authorize it at least once.
Before that first attempt, it won’t show up at all.

Once it appears:
Setup → Connected Apps OAuth Usage → locate the app → click Install.

After installation, users can authorize as usual.

2. Grant permission

Assign Approve Uninstalled Connected Apps to the user performing the OAuth authorization.

This works, but it shouldn’t be your preferred long-term fix.

Recommended approach

For customer-facing products or ISV packages:

  • Package your Connected App inside your managed package.

  • During onboarding, tell admins to install the Connected App immediately after the first authorization attempt.

  • Avoid relying on “user approves uninstalled app”. Salesforce is clearly tightening that pathway.

  • Document the permission-based workaround only as a fallback.

Key takeaway for ISVs

If your product uses Salesforce OAuth, treat your Connected App as an actual component that must be installed and controlled by admins. Don’t assume self-authorization will remain supported.

Make installation a mandatory step. It reduces support noise and aligns with Salesforce’s new security model.


Email Tweet Share Pin Share
Posted by: at
Tags: , ,
No comments :

Post a Comment

Hi there, comments on this site are moderated, you might need to wait until your comment is published. Spam and promotions will be deleted. Sorry for the inconvenience but we have moderated the comments for the safety of this website users. If you have any concern, or if you are not able to comment for some reason, email us at rahul@forcetrails.com

Subscribe to: Post Comments ( Atom )