After reading Force.com Canvas Developer's Guide, I don't think I have figured out a good way to integrate an external web app inside salesforce.com. Following are questions that I am not sure about. Any advice would be much appreciated.
The ideal solution for me is I can create a web tab inside salesforce.com and attach a Canvas app there. For the first time, the user needs to authorize the web app and then the web app could figure out what to show based on the requested context using the access token. The server side of the web app could save access token for later use so the user doesn't need to authorize the web app every time he tries to access the new tab added.
Init Authentication Flow:
Using OAuth, it seems there is no way to show the salesforce authentication dialog on the same page as the authentication page set x-frame-options to DENY. So I have to use the popup window to present the authentication dialog.
Once the user clicks the button, salesforce will redirect the page to my callback address and I need to get the token from the url hash in that callback page. Once I get the hash, I have to manually send it back to my app redirect page using Canvas api childWindowUnloadNotification so that the redirect page could send the token to the server side and then close the popup window automatically.
At this moment, I could redirect the user to the main page of the web app. But how could I make this page secured (I don't want to ask the user to log in this external web app again using some other username and password.)? I need to get a unique identifier for the user and associate this ID with the access token I have saved on the server side. Should I query the user email as the ID and send it together with the token to the server side? And I need to save user email in the cookie so next time the user tries to access the same tab, I can figure out whether this user has valid access token on the server and authorize the access to the main page of external web app directly.
I am not sure whether I missed anything so that this implementation in my mind looks a little bit complicated. Anyone has experience in similar projects please help. Thanks in advance!
Regards,
Sheng
Update
Maybe people won't see the last comment from @sfdcfox directly on the screen. I should have mentioned the web application I am going to integrate is pure client-side rendering at the very beginning. Using the web server auth flow is the way I have implemented so far and everything works well.
In order to easily get my application session integrated, I have created a custom field named application_user_name inside User entity and my application is going to query that field and create corresponding session for the Salesforce user. Now I can store the refresh token on the server and ask for access token again when needed. The application has been seamlessly integrated. Thanks for all the comments and answers!
Best Answer
Canvas apps are sent an authentication token automatically after being authorized by the user; this all occurs on the salesforce.com servers, and your app isn't involved until it receives a valid authentication token.
You can query for the user ID if you need to store per-user data; the ID is guaranteed to be unique, while the email address may not be. The user won't have to authorize the application each time, since each time the tab is loaded a new token will be sent to the application server.
It would probably be worthwhile to visit Heroku and create a sample canvas app so you can get a feel for how it behaves. A single worker thread is free (750 dyno hours per month), so you can experiment with how canvas apps work before starting your own application development.
You are not provided with a refresh token using OAuth2 authentication, so it is recommended that you used a signed request model instead. You should take a look at the authentication section in the Canvas Framework Developer's Guide.