Newer Version Available

This content describes an older version of this product. View Latest

OAuth 2.0 Authorization

Canvas supports the OAuth 2.0 web server flow and the OAuth 2.0 user-agent flow.

If your Canvas app URL contains a URL fragment identifier (#), then the hash mark (#) and all characters that follow are stripped from the URL during the authentication flow. To prevent unexpected behavior, avoid using hash marks (#) in a Canvas app URL.

Important

When using OAuth with Canvas, you have two options.

Regardless of which OAuth flow that you implement, the Canvas app must provide code for initiating the standards-based OAuth flow. OAuth considerations include:

  • Salesforce performs an HTTP GET when invoking the Canvas app URL.
  • With the user agent flow, all authorization is performed in the browser, and no server-side code is needed.

For more information about OAuth, see Authorize Apps with OAuth in Salesforce Help.

Existing Connected Apps and OAuth

If you have an existing connected app that uses OAuth authorization and you want to expose that app as a Canvas app, you have two options.

  • Edit the existing app, and add the Canvas app information to it. Your app can continue to use the same client ID and secret.
  • Create a new Canvas app, which gets a new client ID and consumer secret. Make sure to update your app with the client ID and secret.