No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Newer Version Available
Signed Request Authentication
This is the default authorization method for canvas apps. In the first and subsequent requests to the canvas app, Salesforce performs a POST with all the authorization information contained in the body of the signed request. This information can be verified with the client secret and used to customize the app, and make subsequent calls to Salesforce.
When you use signed request to authenticate a canvas app, the app is accessible to users as soon as the administrator installs it in the organization and configures which users can see it. Therefore, the user won’t see a popup window to allow the app through OAuth.
The signed request is a string of the following elements concatenated:
- The canvas app consumer secret encrypted with HMAC SHA–256 algorithm
- A period (“.”)
- The context and authorization token JSON encoded in Base64
Signed request considerations:
- Salesforce performs an HTTP POST when invoking the canvas app URL.
- The access token and context information are included in the signed request, so there’s no need for multiple requests.
- Server-side code is needed to verify and decode the request.