API Access Control is blocking OrgCheck

[Sebastian270918]

Hello,
I researched a little bit on our issue mentioned in the title and this is my result:
"When API Access Control is enabled, Salesforce blocks REST API usage for sessions that are not explicitly authorized through an approved (allowlisted) connected app.
Org Check does not support OAuth or Connected App authorization mechanisms.
In summary, Org Check is incompatible with orgs where API Access Control is enforced due to its reliance on non-API-authorized sessions. "

First thing: Am I correct in my assertions?
Second thing: Is there a workaround possible you can offer from your side?

I am very happy to receive any feedback on this and thank you in advance for your efforts.

Br,
Sebastian

[Sebastian270918]

One thing first. I am aware that Salesforce offers the option ‘Use any API client’, but this feature will soon be deprecated.

[RubenHalman]

Hi @Sebastian270918 ,
I’ve actually run into the same issue myself, specifically in newer Salesforce orgs. From what I’ve observed, this does seem to be tied to the underlying Visualforce page pattern being used for authentication. With API Access Control enabled, Salesforce becomes much stricter about session authorization, and Visualforce-based flows that rely on non–OAuth-authorized sessions appear to get blocked.

On the other hand, If I install the package(Unlocked) via the CLI in new scratch orgs, there seems to be no issue

[Sebastian270918]

Hi @RubenHalman , thank you for your feedback. Do you know if your workaround with new scratch orgs is also working in a productive system?

[RubenHalman]

Hi @Sebastian270918, I don’t think this workaround will work in a production system. That said, I believe @VinceFINET is already working on an update to fully address this issue, so enabling Use any API client would likely be the only workaround for now.

[VinceFINET]

Hello you two! ^^

So yeah as of now this is the only workaround.
We need to put in place an alternative (like the other tools have already be doing).
And in that case i believe the only proper solution is to make the app work with a connected app / external client app.

[Sebastian270918]

Hi @VinceFINET ,
First of all, thank you very much for your feedback. I am really pleasantly surprised and can only emphasise that you get a faster and probably even more accurate answer here than from Salesforce Support.
And I agree, without a connected app, you won't get anywhere with Salesforce in the future.
So all we can do is wait patiently until a solution is found, and I think it will be difficult to say when that will be, even approximately, right?

[VinceFINET]

right!

[RubenHalman]

Maybe it is worth talking with @alecdorner and his plans around this package: https://github.com/alecdorner/2gp-auth