Embedded Apps

Embedded Apps can display their own UI in the admin interface under Extensions/Manage Apps/<App>.

To make an App an “Embedded App”, you need to enter the URL, which should be displayed under “Manage Apps” the in the API Credentials “Start URL” field.

If a customer selects the App under “Manage Apps”, Flickrocket will load the URL in an iframe and pass UserID and CompanyID parameters to identify the User and Company. A typical URL looks like:

https://app.sample.com/dashboard?CompanyID=23128&UserID=2543&hmac=af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf

The app can then use this information to link the user to the OAuth authorization and display the corresponding information.

Validation

To validate that the embedded app is indeed running in the Flickrocket admin interface, the URL contains a “hmac” parameter in addition to the CompanyID and UserID parameters, which can be used to check if the request comes from the Flickrocket admin interface.

To validate the request, concatenate the parameters and create a SHA256 hash value using the Apps secret key and check if this signature matches the hmac passed to the app. Below is a short code sample using C#.

public static bool IsAuthenticRequest(NameValueCollection QueryString, string SecretKey)
{
   string sParams = "?UserID=" + QueryString["UserID"] + "&CompanyID=" + QueryString["CompanyID"];

   string result = "";
   using (HMACSHA256 myhmacsha1 = new HMACSHA256(Encoding.UTF8.GetBytes(SecretKey)))
   {
      using (MemoryStream stream = new MemoryStream(Encoding.UTF8.GetBytes(Convert.ToBase64String(Encoding.UTF8.GetBytes(sParams)))))
      {
         result = myhmacsha1.ComputeHash(stream).Aggregate("", (s, o) => s + String.Format("{0:x2}", o), s => s);
      }
   }

   if (result != QueryString["hmac"]) return false;
   return true;
}