Authenticate() using token returned from Salesforce Canvas app

[ghost]

Hey Kevin, I've been unsuccessful using the authenticate() method when passing in the oauth token returned from a Salesforce Canvas app. Should nforce be able to use the signed_request.client.oauthToken value instead of passing username/password to the authenticate() method? thanks for all the great work on nforce, just starting using it with node and it rocks. thanks

[kevinohara80]

Thanks for the kind words!

You don't need to call authenticate() once you have the signed request since you are already authenticated in the signed request. All you need to do at this point is grab the client data and manually construct your oauth object that you'd normally pass into nforce requests.

The weird thing is that when you get a signed request, your token is called oauthToken versus access_token which is what the REST API returns. nforce uses the latter so you just need to re-create your oauth object using the access_token property name. Don't forget to grab the instanceUrl as well. Same thing here, the signed request returns instanceUrl where the REST API (and nforce) expect instance_url.

See this gist for an example express.js middleware for parsing the signed request and re-constructing the oauth object for use with nforce.

https://gist.github.com/kevinohara80/5310554

P.S. I'm going to either make this a part of nforce, or create another module in the near future for handling the signed request parsing/verification.

[ghost]

Thanks Kevin, exactly what I needed. I was leaving the instance_url out when setting the req.oauth (though your implemenation is much cleaner and well coded). thanks again.

[go-fish-wxy]

Thanks for the kind words!

You don't need to call authenticate() once you have the signed request since you are already authenticated in the signed request. All you need to do at this point is grab the client data and manually construct your oauth object that you'd normally pass into nforce requests.

The weird thing is that when you get a signed request, your token is called oauthToken versus access_token which is what the REST API returns. nforce uses the latter so you just need to re-create your oauth object using the access_token property name. Don't forget to grab the instanceUrl as well. Same thing here, the signed request returns instanceUrl where the REST API (and nforce) expect instance_url.

See this gist for an example express.js middleware for parsing the signed request and re-constructing the oauth object for use with nforce.

https://gist.github.com/kevinohara80/5310554

P.S. I'm going to either make this a part of nforce, or create another module in the near future for handling the signed request parsing/verification.

Awesome! Just come across the same confusion