Newer Version Available
OAuth Authorization
Canvas supports OAuth 2.0 for authorization.
When using OAuth with Canvas, you have two options:
- Web server flow—To integrate a canvas app with the Salesforce API, use the OAuth 2.0 web server flow, which implements the OAuth 2.0 authorization code grant type. With this flow, the server hosting the web app must be able to protect the connected app’s identity, defined by the client ID and client secret. For more information, see https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_server_flow.htm in Salesforce Help.
- User-agent flow—With the OAuth 2.0 user-agent flow, users authorize a canvas app to access data using an external or embedded browser. This flow uses the OAuth 2.0 implicit grant type. For more information, see OAuth 2.0 User-Agent Flow for Desktop or Mobile App Integration in Salesforce Help.
Regardless of which OAuth flow you implement, the canvas app must provide code for initiating
the standards-based OAuth flow. OAuth considerations include:
- Salesforce performs an HTTP GET when invoking the canvas app URL.
- With the user agent flow, all authorization can be performed in the browser (no server-side code is needed).
For more information about OAuth, see Authorize Apps with OAuth in Salesforce Help.
Existing Connected Apps and OAuth
If you have an existing connected app that uses OAuth authorization and you want to expose
that app as a canvas app, you have two options.
- Edit the existing app (create a new version) and add the canvas app information to it. Your app can continue to use the same client ID and secret.
- Create a new canvas app, which is given a new client ID and consumer secret. Make sure to update your app with client ID and secret.