Exam Integration-Architect Topic 1 Question 112 Discussion
Actual exam question for Salesforce's Integration-Architect exam
Question #: 112
Topic #: 1
Question #: 112
Topic #: 1
Northern Trail Outfitters is creating a distributable Salesforce package. The package needs to call into a Custom Apex REST endpoint in the central org. The security team wants to ensure a specific integration account is used in the central org that they will authorize after installation. Which item should an architect recommend?
Suggested Answer: B Vote an answer
For a distributable package to securely access a central "Hub" org, the architecture must support the OAuth
2.0 Web Server Flow. This flow is designed for applications (like the package installed in a "Spoke" org) that can securely store a Client Secret and need to act on behalf of a specific user.
The Connected App in the central org acts as the "Identity and Access" gatekeeper. A critical component of the Connected App configuration is the Callback URL (Redirect URI). When a user in the "Subscriber" org clicks "Authorize," Salesforce redirects them to the central org to log in. After successful authentication, the central org needs to know where to send the "Authorization Code" back to.
In a multi-org packaging scenario, each subscriber org will have a unique instance URL (e.g., na15.salesforce.
com). The architect must ensure that the Connected App's callback URLs are correctly configured to handle these redirects.
Option C (Encrypted Passwords) is a major security risk and is considered an "anti-pattern" in modern integration. Option A is unnecessary, as API access is a standard feature. By using the Connected App with correct Callback URLs, the architect allows the security team in the central org to oversee exactly which
"Spoke" orgs have authorized access. They can use the "Connected Apps OAuth Usage" page to monitor, rotate secrets, or revoke access for individual orgs, providing the granular security control required for an enterprise-grade distributed Salesforce architecture.
2.0 Web Server Flow. This flow is designed for applications (like the package installed in a "Spoke" org) that can securely store a Client Secret and need to act on behalf of a specific user.
The Connected App in the central org acts as the "Identity and Access" gatekeeper. A critical component of the Connected App configuration is the Callback URL (Redirect URI). When a user in the "Subscriber" org clicks "Authorize," Salesforce redirects them to the central org to log in. After successful authentication, the central org needs to know where to send the "Authorization Code" back to.
In a multi-org packaging scenario, each subscriber org will have a unique instance URL (e.g., na15.salesforce.
com). The architect must ensure that the Connected App's callback URLs are correctly configured to handle these redirects.
Option C (Encrypted Passwords) is a major security risk and is considered an "anti-pattern" in modern integration. Option A is unnecessary, as API access is a standard feature. By using the Connected App with correct Callback URLs, the architect allows the security team in the central org to oversee exactly which
"Spoke" orgs have authorized access. They can use the "Connected Apps OAuth Usage" page to monitor, rotate secrets, or revoke access for individual orgs, providing the granular security control required for an enterprise-grade distributed Salesforce architecture.
by Frank at Jun 30, 2026, 02:10 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).