I am developing a canvas application. For various reasons, I am hosting my application on a static host and use services as back-end. Therefore I am simply using OAuth Webflow (GET) instead of Signed Request (POST), specified at "Build > Create > Apps > Edit > Canvas App Settings > Access Method". My app redirects to request code and page redirects back to my app with code, I go to my back-end service to retrieve access token using code and secret.
Everything is working great for authentication. However, it turns out salesforce does not support CORS and I am unable to directly call REST API just by providing bearer token. I don't want to create my own proxy server as this is against what I am trying to do in the first place.
I found out about the Canvas Javascript SDK which handles the cross origin issues (probably using proxies and window.postMessage). Once authentication is complete, I am loading the hosted canvas-all.js file dynamically. However I am unable to find a way to provide access token and instance url to the SDK. Unfortunately all examples assume the Signed Request approach. I am starting to think that I am on mission impossible.
There is also AJAX Proxy but I guess that is only limited to Visualforce pages but I might be totally wrong.
In general, is there a way to make REST API calls without hosting a proxy script?
Best Answer
Sorry for the delay in answering.
You can do this today with the SDK. There are examples in the SDK on how to use the OAuth method. Essentially, you use canvas to establish the OAuth authentication, and then use the SDK and the OAuth token to get the context portion of the signed request. With that, you can then make the cross domain calls, just as you would with signed request.
An example would be: