No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Newer Version Available
Verifying and Decoding a Signed Request
- Receive the POST message that contains the initial signed request from Salesforce.
- Split the signed request on the first period. The result is two strings: the hashed Based64 context signed with the consumer secret and the Base64 encoded context itself.
- Use the HMAC SHA-256 algorithm to hash the Base64 encoded context and sign it using your consumer secret.
- Base64 encode the string created in the previous step.
- Compare the Base64 encoded string with the hashed Base64 context signed with the consumer secret you received in step 2.
If the two values are the same, then you know that the signed request was signed using your consumer secret and can be trusted. From there, you can Base64 decode the encoded context and parse out any values you need. For more information on those values, see CanvasRequest. If the two strings are different, then the request was not hashed and signed using your consumer secret, and you should return the appropriate message to the user.
Functions for Verifying and Decoding
- verifyAndDecode—Returns a verified and decoded version of the signed request as a Java object.
- verifyAndDecodeAsJson—Returns a verified and decoded version of the signed request as a JSON-formatted string.
The following code example shows you how to verify and decode a signed request using the functions in the SDK. This code splits the signed request string at the period to parse out the signed secret and the Base64 JSON string. It then encrypts the canvas app consumer secret signed with the HMAC SHA-256 algorithm and compares the encrypted value with the encrypted value sent to you by Salesforce.
If the two values are the same, you know that the context is valid and came from Salesforce. If the two values are different, then the request didn’t come from Salesforce.
Calling the verifyAndDecode Function
The following code shows an example of getting the signed request, and then verifying and decoding the request by using the verifyAndDecode function.
Calling the verifyAndDecodeAsJson Function
The following code shows an example of getting the signed request, verifying and decoding the request by using the verifyAndDecodeAsJson function, and parsing the returned JSON result.