There are two ways to authenticate via Canvas: OAuth and a Signed Request. My recommendation is to try using Signed Request. If your Canvas app is configured to use it under Connected Apps, the Salesforce Platform will post the encoded authentication information to your application whenever it appears within a Canvas iframe. So instead of the multi-step OAuth flow, there’s really one here: decode the POST information for the signed request. Fortunately for me, Ryan Brainard had already added this functionality to the source of the excellent Workbench application – so I just needed to port it to a generic example.
I start the PHP application by turning on error decoding:
Then I grab the Signed Request out of POST, decode and check the authenticity of the signed request by encoding it against your consumer secret:
Note that we only need to output the Signed Request from PHP – but everything else is being handled on the client. Since we’ve got access to all the information needed to access the REST API, though, we could also use PHP itself to perform the callout. Here’s an example of sending a REST query via a PHP library called Httpful, which is an excellent wrapper around curl:
And now, for either method, we’ll get an application like this in Canvas:
Which remember, as of Spring ’13 – you can include within your Visualforce pages. Hopefully this will be a leg up for PHP developers looking to integrate screens within Salesforce itself. If you want to read more on Canvas in general, head over to the main Canvas wiki page, or check out the recent webinar. If you would like to look at the full code for the PHP pages here, I’ve got the project up on Github. That project also includes links to install the Canvas apps into your instance.
As usual, if you’ve got questions or comments – tack them onto the boxes below, or catch me on twitter @joshbirk.