These are my notes on Canvas Apps made while studying for the Integration Architect certification exam.
Canvas is a mechanism for consuming applications in Salesforce. It connects applications at both the API and user interface level. It is a connected app, but not all connected apps are canvas apps. Canvas Apps use HTTPS POST (with signed requests initiated by Salesforce) and HTTPS GET (with OAuth 2.0 initiated by the App connected to the Canvas App).
Canvas Apps only use one domain and the external application needs to be modified to push a response to Salesforce.
Canvas enables you to easily integrate a third-party application in Salesforce. The Canvas framework includes an SDK that you can use to authenticate your app and retrieve data. An SDK is a Software Development Kit. The Canvas SDK can be hosted on the Salesforce or another server.
Canvas is a set of tools and JavaScript APIs that you can use to expose an application as a canvas app. This means you can take your new or existing applications and make them available to your users as part of their Salesforce experience.
The Canvas SDK can help with authentication by a signed request or OAuth 2.0. The default canvas apps authentication method is a signed request. This contains the consumer key, access token and other contextual information provided by the app. The authorisation flow for the signed request varies according to whether an administrator needs to give users access to the canvas app or if users can self-authorise and therefore approve themselves in the OAuth flow. The Web Server flow is the usual OAuth authorisaiton flow. It is possible to use the User Agent flow – but this is far less secure and not encouraged.
With OAuth 2.0, the canvas apps use this protocol to authorise and gain access to tokens. OAuth tokens are permissions given to a Client application (the canvas app). These tokens are validated by the resource server and allow the canvas app access to the defined protected resources.
Regardless of whether a signed request or OAuth flow has been used with a Canvas App, you can use SAML based Single Sign On. Salesforce can be either the identity or service provider with SAML. However, the SAML initiation method Identity Provider Initiated is not supported for canvas apps on Lightning Platform sites.
The canvas app authentication is server initiated and controlled by profile and permission settings. The length of the session is only as long as the user is logged into the Salesforce User Interface (unless alternative login mechanism outside Salesforce is in play). Note this is different from Connected Apps that can have a session lifespan which is indefinite until revoked by user or administrator.
As well as authentication, the Canvas SDK library of tools provides context (about the application, user and organisation, etc), resizing (to adjust the canvas app iframe with auto grow or explicitly with a set height and width) and events between canvas apps providing they are on the same page (a chatter canvas app cannot subscribe to events published by a visualforce page canvas app).
There is also a Canvas Lifecycle Handler which can control what context data, such as what can get retrieved and where from.
Canvas App Example
An example of a Canvas App is Dataloader.io. Dataloader.io is powered by Anypoint Platform (Mulesoft). There are two ways to use Dataloader.io. You can log into it separately from Salesforce to export, import and delete data in your org (after agreeing to share your Salesforce login credentials). Or, you can install it as a connected app.
Once set up as a Connected App, an administrator can control access. In the example above, you can see that the Permitted users may self-authorise. This means any user in this Salesforce Org could use Dataloader.io. I would recommend that an administrator alters this to Admin Approved users are pre-authorised.
Canvas Use Cases
Here are some scenarios where Canvas is used:
- A customer who has built a Cloud App to integrate with Salesforce.
- A third party app needs to appear native to Salesforce in a visualforce page.
- A mass email application that has no context outside Salesforce.
- A data cleansing tool which runs inside Salesforce on Salesforce data.