Newer Version Available
OAuth Authentication
- Web Server OAuth Authentication Flow—When users run your canvas app, they can authorize the app to access their data. This requires each user to allow the canvas app to access their information. For more information, see Understanding the Web Server OAuth Authentication Flow in the Force.com REST API Developer Guide.
- User-Agent OAuth Authentication Flow—When users run your canvas app, they can authorize
the app to access their data by using just the browser for authentication. Like Web Server
OAuth authentication, this option requires each user to allow the canvas app to access their
information.
It’s recommended that you use this authorization method during development and not in production because with this type of authorization no server-side code is needed and there’s no need to expose development machines to the Internet. For more information, see Understanding the User-Agent OAuth Authentication Flow in the Force.com REST API Developer Guide.
- Salesforce performs an HTTP GET when invoking the canvas app URL.
- With user agent OAuth, all authorization can be performed in the browser (no server-side code is needed).
For more information about OAuth and the Force.com platform, see https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com.
If you have an existing connected app that uses OAuth authentication and you want to expose that app as a canvas app, you have two options. First, you can edit the existing app (create a new version) and add the canvas app information to it. This means your app can continue to use the same client ID and consumer secret. The second option is to create a new canvas app. If you do this, you’ll get a new client ID and consumer secret, and you’ll need to update your app with that information.