Salesforce Canvas and Spring Boot

The challenge

Salesforce canvas offers a capable integration point between Salesforce and external applications to surface them inside the Salesforce UI. One of the aspects is establishing identiy. There are two options: OAuth and a signed request. I’m looking at the later. A signed request posts (as in HTTP POST) a digitally signed JSON request to the external application.

When all you need is a single page, validating the request and returning the result is all that needs to be done. It becomes trickier when you want to navigate in the application and when that application runs in the cloud with multiple load balanced instances, so you might end up on a different instance mid-flight.

The approach

Build a Spring Boot application that provides an authentication endpoint suitable for a Canvas POST and other endpoints that only allow authenticated access. The security will be provided by Json Web Tokens a.k.a JWT or RFC 7519.

As added challenge: The application will require standard link and form based navigation, so we can’t rely on AJAX to provide additional “stuff” into the requests from/to the server. And yes - needs to be able to run on Heroku on multiple instances (Dynos in Heroku language) without the sticky session feature switched on.

Environment variables to be set

• JWT_SECRET - the token used to encrypt the JWT. Ideally randomized on each restart, but needs to be the same in a dyno
• SFDC_SECRET - The client token shared with the Canvas definition in Salesforce
• ADMIN_NAME - login name of admin user. For use outside Canvas
• ADMIN_PASSWORD - Bcrypt encrypted password for admin. Generate using URL below

(and a few others - discover for yourself)

Application endpoints

• / The homepage - access unauthenticated
• /login - admin login
• /hw - Hello world page. Throws a 403 if not authenticated
• /sfdcauth/[target] target URL for canvas integration. Post your signed request here. Replace [target] with the endpoint you want to reach e.g. /sfdcauth/hw to reach /hw after authentication
• /password?password=[somepwd] generate encrypted admin password for use in environment parameter (manual transfer)

  Resources

No man is an island, and without the tubes we are lost. Here is what I used:

• Heroku
• GitHub - get the sample project there
• Spring Boot
• Spring Initializr - even with the @EnableWebMvc causing initial grief
• Spring Boot and Mustache - I’m a big fan of Mustache since it works everywhere
• Auth0 on Spring and JWT - the blog post that showed the moving pieces
• Stackoverflow (how do you code?)