Newer Version Available

This content describes an older version of this product. View Latest

Verifying and Decoding a Signed Request

When using a signed request, Salesforce delivers the user context and authentication information to your canvas app URL. To ensure that the signed request is valid, you must verify that the signed request was signed using your specific canvas app consumer secret. If the correct consumer secret was used, then you can trust the context; otherwise, you can assume that the request was not initiated by Salesforce. To verify and decode the signed request, your application should:
  1. Receive the POST message that contains the initial signed request from Salesforce.
  2. Split the signed request on the first period. The result is two strings: the hashed Based64 context signed with the consumer secret and the Base64 encoded context itself.
  3. Use the HMAC SHA-256 algorithm to hash the Base64 encoded context and sign it using your consumer secret.
  4. Base64 encode the string created in the previous step.
  5. Compare the Base64 encoded string with the hashed Base64 context signed with the consumer secret you received in step 2.

If the two values are the same, then you know that the signed request was signed using your consumer secret and can be trusted. From there, you can Base64 decode the encoded context and parse out any values you need. For more information on those values, see CanvasRequest. If the two strings are different, then the request was not hashed and signed using your consumer secret, and you should return the appropriate message to the user.

Functions for Verifying and Decoding

To verify the signed request, you can call the one the following functions found in the Force.com Canvas SDK (in SalesforceCanvasFrameworkSDK\src\main\java\canvas\SignedRequest.java):
  • verifyAndDecode—Returns a verified and decoded version of the signed request as a Java object.
  • verifyAndDecodeAsJson—Returns a verified and decoded version of the signed request as a JSON-formatted string.

The following code example shows you how to verify and decode a signed request using the functions in the SDK. This code splits the signed request string at the period to parse out the signed secret and the Base64 JSON string. It then encrypts the canvas app consumer secret signed with the HMAC SHA-256 algorithm and compares the encrypted value with the encrypted value sent to you by Salesforce.

If the two values are the same, you know that the context is valid and came from Salesforce. If the two values are different, then the request didn’t come from Salesforce.

Calling the verifyAndDecode Function

The following code shows an example of getting the signed request, and then verifying and decoding the request by using the verifyAndDecode function.

Calling the verifyAndDecodeAsJson Function

The following code shows an example of getting the signed request, verifying and decoding the request by using the verifyAndDecodeAsJson function, and parsing the returned JSON result.