Newer Version Available

This content describes an older version of this product. View Latest

OAuth Authentication

Force.com Canvas supports OAuth 2.0 for authorization. When using OAuth, you have two options:
  • Web Server OAuth Authentication Flow—When users run your canvas app, they can authorize the app to access their data. This requires each user to allow the canvas app to access their information. For more information, see Understanding the Web Server OAuth Authentication Flow in the Force.com REST API Developer Guide.
  • User-Agent OAuth Authentication Flow—When users run your canvas app, they can authorize the app to access their data by using just the browser for authentication. Like Web Server OAuth authentication, this option requires each user to allow the canvas app to access their information.

    It’s recommended that you use this authorization method during development and not in production because no refresh token is supplied. With this type of authorization, no server-side code is needed, and there’s no need to expose development machines to the Internet. However, in a production environment, the lack of a refresh token is inconvenient, because users are prompted to approve or deny the app every time the OAuth flow occurrs. For more information, see Understanding the User-Agent OAuth Authentication Flow in the Force.com REST API Developer Guide.

Regardless of which OAuth flow you implement, the canvas app must provide code for initiating the standards-based OAuth flow. OAuth considerations include:
  • Salesforce performs an HTTP GET when invoking the canvas app URL.
  • With user agent OAuth, all authorization can be performed in the browser (no server-side code is needed).

For more information about OAuth and the Force.com platform, see https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com.

If you have an existing connected app that uses OAuth authentication and you want to expose that app as a canvas app, you have two options. First, you can edit the existing app (create a new version) and add the canvas app information to it. This means your app can continue to use the same client ID and consumer secret. The second option is to create a new canvas app. If you do this, you’ll get a new client ID and consumer secret, and you’ll need to update your app with that information.