All types of OAuth 2.0 flows, except for the SAML Assertion flow, require that you define a connected app.
A connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols to authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs.
The developer creates the connected app and defines the API integration, providing OAuth metadata about the app, such as:
Basic descriptive and contact information for the connected app
The OAuth scopes and callback URL for the connected app
The admin defines policies for the app, including:
Optional IP ranges where the connected app can run
Optional information about mobile policies that the connected app can enforce
The connected app wizard walks you through the steps to create a connected app. To configure OAuth settings, select Enable OAuth Settings to open the API section and supply the required metadata, including the callback URL.
The callback URL is an endpoint in your application to which Salesforce can redirect the user's browser with an authentication code or access token. To protect the token, the only hostname allowed with an HTTP callback URL is localhost. Other hosts must use HTTPS. Alternatively, you can specify a URI with a custom URI scheme. This approach is often used in a User-Agent flow to pass control back to a native application. If you're using the JWT Bearer Token or SAML Bearer Assertion flows, select Use Digital Signatures and upload a signing certificate.
After you save the connected app definition, you are provided an OAuth client ID key and client secret for the connected app.