I have a canvas app that is setup to use the signed request (POST) access method, and when I test the app via either the tab that it creates or the canvas app previewer it sends my webserver a POST with the signed request as expected.
I have this app in a managed package and have been sending install links to other developers on the project for quite awhile now and everything has been working fine, but I recently made a minor change to the package and sent out a new install link and now other people that install the app are sending GET requests to the webserver instead of POSTs.
the GETs look like
?_sfdc_canvas_auth=user_approval_required&loginUrl=https%3A%2F%2Flogin.salesforce.com%2F
which, I assume is for the OAuth webflow (GET) access method which I have not set my connected app to use, and my webserver is not set up to handle.
My first thought was that maybe the change I had made to the app caused this issue, but I asked them to install an old version of the managed package and they are still having this issue even with the old version that definitely used to work and sent POSTs correctly.
any idea what has happened to my app?
Best Answer
See Signed Request Authentication.
Has:
From the docs under Permitted User Value "All users may self-authorize":