Verifying and Decoding a Signed Request

Report · Jan 29, 2014

hello all. we created an HTML5 coldfusion powered application that is serving as a canvas application within our Salesforce.com instance. According to the Salesforce.com instructions I need to do the following with the signed request sent to the server but am having difficulty following how to do this:

1. Receive the POST message that contains the initial signed request from Salesforce.

2. Split the signed request on the first period. The result is two strings: the hashed Based64 context signed with the consumer secret and the Base64 encoded context itself.

3. Use the HMAC SHA-256 algorithm to hash the Base64 encoded context and sign it using your consumer secret.

4. Base64 encode the string created in the previous step.

5. Compare the Base64 encoded string with the hashed Base64 context signed with the consumer secret you received in step 2.

of course step 1 & 2 is simple:

however i can't quite follow what is next. we are running on CF10 Enterprise which is supposed to have the HMAC SHA-256 capabilities. Any help / guidance is greatly appreciated!

Report · Sep 08, 2014

Did you ever get this figured out? Trying to POC a CF Canvas APP myself.

Report · Sep 08, 2014

BosDog, Hopefully you figured this out.

I was able to adapt the code here to accomplish this. FBSignedRequestIsValid() requires HMAC_SHA256() found here.

Here is my POC code. I copied the functions from the two websites renaming FBSignedRequestIsValid() to SignedRequestIsValid()

</cfif>

Verifying and Decoding a Signed Request

1 Correct answer