Salesforce canvas offers a capable integration point between Salesforce and external applications to surface them inside the Salesforce UI. One of the aspects is establishing identiy. There are two options: OAuth and a signed request. I’m looking at the later. A signed request posts (as in HTTP POST) a digitally signed JSON request to the external application.
When all you need is a single page, validating the request and returning the result is all that needs to be done. It becomes trickier when you want to navigate in the application and when that application runs in the cloud with multiple load balanced instances, so you might end up on a different instance mid-flight.
Build a Spring Boot application that provides an authentication endpoint suitable for a Canvas POST and other endpoints that only allow authenticated access. The security will be provided by Json Web Tokens a.k.a JWT or RFC 7519.
As added challenge: The application will require standard link and form based navigation, so we can’t rely on AJAX to provide additional “stuff” into the requests from/to the server. And yes - needs to be able to run on Heroku on multiple instances (Dynos in Heroku language) without the sticky session feature switched on.
JWT_SECRET- the token used to encrypt the JWT. Ideally randomized on each restart, but needs to be the same in a dyno
SFDC_SECRET- The client token shared with the Canvas definition in Salesforce
ADMIN_NAME- login name of admin user. For use outside Canvas
ADMIN_PASSWORD- Bcrypt encrypted password for admin. Generate using URL below
(and a few others - discover for yourself)
/The homepage - access unauthenticated
/login- admin login
/hw- Hello world page. Throws a 403 if not authenticated
/sfdcauth/[target]target URL for canvas integration. Post your signed request here. Replace
[target]with the endpoint you want to reach e.g.
/password?password=[somepwd]generate encrypted admin password for use in environment parameter (manual transfer)
No man is an island, and without the tubes we are lost. Here is what I used:
@EnableWebMvccausing initial grief