203 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
Latest 7 Posts
Beta of new Lightning Component Library included in Winter '18
Wed, Nov 22nd 2017 65
Websockets in an Express node.js app on Heroku
Thu, Nov 16th 2017 76
Dreamforce 2017 Playlist Generator
Tue, Nov 14th 2017 16
Thu, Sep 14th 2017 7
The best way to learn a platform is to use a platform
Fri, Aug 11th 2017 7
Flip Chrome flag to easily inspect TLS certificates (from Chrome 60)
Tue, Aug 8th 2017 3
Developing Salesforce Lightning Components that are visible at design time but not at runtime
Thu, Jun 29th 2017 1
Top 10
Websockets in an Express node.js app on Heroku
Thu, Nov 16th 2017 76
Beta of new Lightning Component Library included in Winter '18
Wed, Nov 22nd 2017 65
Lightning Components as Quick Actions in Salesforce1 and padding
Wed, Feb 8th 2017 16
Dreamforce 2017 Playlist Generator
Tue, Nov 14th 2017 16
Eclipse target platform invalidated by IBM Notes 9.0.1FP4 on Mac
Mon, Jul 20th 2015 11
Salesforce username/password OAuth flow against a sandbox
Tue, Jan 31st 2017 11
component.find woes in Salesforce Lightning
Tue, May 2nd 2017 11
Configuring Eclipse Neon on Windows 10 64 bit for Notes plugin development
Thu, Jul 14th 2016 9
Premaster RSA secret error with 4096-bit encryption in WAS ISC
Sun, Jun 15th 2014 8
Atlassian SourceTree Pro-Tip
Wed, Nov 26th 2014 7

IBM Connections application development state of the union - part 6
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious

Part 5 was about extensions/apps on-premises and this - probably final post - will be about extensions for IBM Connections Cloud. There are different ways to extend IBM Connections Cloud - one is to add links to the app menu and another is to add actual UI extensions to the applications within IBM Connections. This post is about the latter (although the observations about the administration UI applies to both). To get it out of the way from the beginning I might as well say it flat out. IBM has really missed the mark here. The extensibility mechanism for IBM Connections in Cloud is close to unusable from my point of view. Let me explain...

Basically the extension mechanism for cloud is an iframe and you may only extend Communities which is so wrong to begin with. As mentioned previously IBM Connections is a piece of social software that focus on people and not being able to extend Profiles is baffling to me. Using a clumsy UI in the administration portal you can upload a JSON file describing the extension which in turn will make the extension show up in the main UI. The smallest file I could make work is 34 lines of JSON but basically I could do away with 3 lines. Almost all of the JSON I upload is simply cruft that seems to carry over from the on-premises widget container and as I really cannot change it why should I specify it? In essence I can only change the following 3 parameters:

  • defId - seems to be an ID of the widget
  • url - the URL to set into the iframe
  • height - the height of the iframe
Part of the JSON I upload is the widget ID. I have to specify the ID of the widget (defId) but there is no check whether it's used. Using an already used ID is allowed but only one of the widgets with the same ID shows up which is an issue as this is an obvious copy/paste error on the users part. Also the widget is added to the community page using the defId as the title but shown in the administration UI using a "name" parameter from JSON which is pretty confusing. Part of the JSON I upload is also the actual iWidget that creates and builds the iframe. I can specify my own iWidget description and the only thing that makes it not work is the ajaxProxy rejecting it making the UI fail when users load the community page. There is no upload time check. Often times an invalid JSON file only makes the UI do nothing - there is no response as to what might be wrong.


Once the JSON is uploaded I get an iframe of a static height with a URL set into it. The height is one thing that makes this extension mechanism hard to work with for production apps. Often times the height of the content cannot be decided at deployment time but is only known at runtime and unfortunately there is no way to change the iframe height at runtime. At least nothing which is obvious and/or documented. But now we have an iframe set the URL specified in the application JSON. The iframe is sandboxed with the following policy: "allow-same-origin allow-scripts allow-popups allow-forms". This restricts the extension and basically it may only do the following:

  • Run JavaScript
  • Make xhr requests to the server it was loaded from (same origin)
  • Open a new window/tab in the browser
There is no way for the widget to even talk to IBM Connections itself - not even the IBM Connections API. The widget may basically show static / server side generated HTML and run JavaScript. The JavaScript may make xhr requests to the server it was loaded from. That's it.

When the widget loads it may ask the surrounding page for a widget context by registering a message listener and posting a message to the parent page (parent.postMessage). The context looks like this:

   "source": {
      "resourceId": "ff7dd8b4-95d6-4fb4-f094-edb52e5d8eee",
      "resourceName": "Some Community Title",
      "resourceType": "community",
      "orgId": "12345678"
   "user": {
      "userId": "87654321",
      "orgId": "12345678",
      "displayName": "John Doe",
      "email": "jdoe@example.com"
   "extraContent": {
      "canContribute": "true",
      "canPersonalize": "true"
From the context the widget can figure out who the user is and what community the user is in. The problem is however that the user information is unusable as there is no way my application server can trust this user information. As the context is not verifiable in any way there is no way for my server to trust the information it receives from the extension. The only way to convey user identity to my server is by using SAML and assume that a SAML assertion dance is performed when the iframe contents is loaded so the user has a session cookie relationship with my server. But this is doable - I now know the user identity based on the SAML dance.

Next thing is to make sure the user is actually a member of the community he/she is sending to my server - but oh - there is no way to decide this. My server side code cannot make requests on behalf of the user back to IBM Connections without the user having already performed an OAuth dance and authorized my application to IBM Connections. I could tell the user that we might not have tokens for him/her but it yields a crappy user experience. Plus any authorization granted expires from time to time (at least every 90 days). Also there is no organization wide OAuth authorization capabilities in IBM Connections Cloud like is the case for Google or Microsoft plus there is no super-user for IBM Connections so we're pretty stuck here.

Now this is pretty bad and combining these things basically makes it impossible to create any kind of customer or ISV solution with a decent user experience. At least if the context is important and the contents is not static.

So what do we do about it? Well IMHO the solution is pretty easy and simple which makes it even worse that IBM decided to ship this capability. Let me suggest the following points:

  • Administration UI
    Fix the administration UI including the widget JSON I have to upload. Only ask for the stuff that actually matter and induce the rest if not specified. If the uploaded file doesn't validate tell me - maybe even provide a clue as to what's missing...
  • Make the context verifiable
    When I register a widget add an option to indicate that my server needs to verify the information in the context (the JSON blob above). If I check the box generate a set of asymmetric keys and provide me one of the keys. Now the JSON context could be signed with the IBM Connections part of the key making my server capable of verifying that the information indeed came from IBM Connections. And since it's asymmetric there is no way for my server to impersonate IBM Connections. Oh and this would make the information in the context trustable even if the customer is not using SAML.
  • Making calls back to IBM Connections possible
    When I register a widget add an option for me to indicate that my server needs to make calls back to IBM Connections on behalf of the user. For additional credits allow me to specify which parts of the IBM Connections API my server may use. In combination with the asymmetric key pair above this option would include an encrypted opaque token in the JSON context blob. This token could be used by my server to authenticate my server and the request back to IBM Connections. It could be a set of automatically generated OAuth tokens but doesn't need to be. This is a secure solution as we already have a key pair in place so the token could be encrypted using the IBM Connections part of the key pair so that the widget code in the browser cannot use it. Only the server with the matching key may decrypt the token and use it for the IBM Connections API.
Now I'm no security expert but this should be secure and pretty easy to implement. With a single sweep it would make widgets in IBM Connections Cloud way more powerful than widgets on-premises and would make them much easier to develop. Only thing left then is making it possible to adjust the height at runtime but I'll let that slip for now as a basic oversight in the design of the extensibility mechanism and assume this capability will be available soon anyway.

</rant >

I have a small IBM Connections Cloud community apo on Github if you would like to see a minimal example: IBM Connections Cloud Community App Example

Sep 14, 2016
8 hits

Recent Blog Posts
Beta of new Lightning Component Library included in Winter '18
Wed, Nov 22nd 2017 9:12a   Mikkel Heisterberg
Was pleasantly surprised to see the beta of the new Lightning Component library being included in the Winter '18 release. Quoting from the release notes (see page 533): Find components more easily with the searchable component library. Preview the look and feel of components with interactive examples. To explore the new component library, go to https://.lightning.force.com/componentReference/suite.app where myDomain is the name of your custom Salesforce domain. You can also continue to use /a
Websockets in an Express node.js app on Heroku
Thu, Nov 16th 2017 7:41p   Mikkel Heisterberg
Last night I was having an issue with websockets and TLS in an Express.js node.js app. My websocket was working just fine when developing locally over plain HTTP but when I deployed the app to Heroku I received an error as that app runs over HTTPS but the websocket was still plain HTTP (using ws:// instead of wss://). Hmmm.... I started digging into websockets over TLS and how that would work without any luck. So I asked around but then it dawned on me and I answered my own question... Sometimes
Dreamforce 2017 Playlist Generator
Tue, Nov 14th 2017 8:47p   Mikkel Heisterberg
Looking for sessions from Dreamforce 2017 I found a list of sessions in a speadsheet and for fun I threw together a quick app to provider a better overview, allow me to filter the list easily and generate playlists on Youtube for select sessions. The app is written in node.js, is available on Github and is hosted on Heroku at df17playlistgenerator.herokuapp.com. After you authorize the app for Youtube it displays the list of sessions and you can generate playlists. As a good friend of me alwa
Thu, Sep 14th 2017 1:35p   Mikkel Heisterberg
Today I've published my first plugin to the SalesforceDX CLI. The plugin is called sfdx-l18n-plugin and allows you to change localisation settings for the user in the scratch org you create. You can query the current values, list the available values from the org and set new values. The plugin can return values in plaintext or as JSON for automation. Changing the org to run in Japanese using Japanese locale and the timezone from Tokyo is as easy as: sfdx l18n:user:set -u japanese --locale ja_J
The best way to learn a platform is to use a platform
Fri, Aug 11th 2017 3:06p   Mikkel Heisterberg
Wow what a week it's been. First week back from vacation and I'm diving right into a sprint of stuff that needs to be delivered to the customer. My task for the week has been develop a connectivity layer between Salesforce and Dropbox using OAuth. This task has taken me on quite a learning journey. Now I'll call myself quite a seasoned programmer but ever since joining Salesforce 9 months ago I've had to relearn a lot of stuff. A new programming language in Apex, new framework technologies
Flip Chrome flag to easily inspect TLS certificates (from Chrome 60)
Tue, Aug 8th 2017 10:57a   Mikkel Heisterberg
As a developer - or a security conscious user - you may want to inspect TLS certificates from time to time. However inspecting them in Chrome is hard as access to the certificate hierarchy dialog has been tucked away in the Developer Tools. Happily Chrome 60 has added a flag to add an easy to reach option back to the TLS dropdown in Chrome. Please note that manually editing Chrome browser flags may mess up your browser - don't say I didn't warn you... In the below video I show you how...
Developing Salesforce Lightning Components that are visible at design time but not at runtime
Thu, Jun 29th 2017 7:48p   Mikkel Heisterberg
So this can clearly be labelled as a "Lightning Lesson from the Field". As you start to develop more complicated Salesforce Lightning applications - and why wouldn't you - you as I have done start seeing great power in hidden components. By hidden components I mean components that contribute code or does "something" but which does not have a UI. Thes are very easy to do but have a big drawback as they are also invisible at design time making them near impossible to find the Lightning AppBui
Deploy your own Salesforce Workbench on Heroku at the click of a button
Thu, Jun 22nd 2017 8:07a   Mikkel Heisterberg
The other day Salesforce Workbench was having issues. Generally it kept returning errors and SOQL queries took forever and timed out. Now Salesforce Workbech is a LAMP app that runs on Heroku and it turns out it is actually possible to deploy your own instance on Heroku using a simple Heroku Button. To do this simply follow the below steps (you need to have an account but if you don't simply sign up): Go to the project page at https://elements.heroku.com/buttons/jdrishe/salesforce-workbench Cl
Currency conversion in Apex
Tue, Jun 20th 2017 7:56p   Mikkel Heisterberg
While waiting for my flight in the lounge tonight I was playing around with currencies in Salesforce because - why not... Conversion between configured currencies are supported in SOQL and Salesforce but only between the configured corporate currency and the users personal currency. But what if you want to convert between an opportunity amount in one currency and into another currency using the configured conversion rates in Salesforce? Well there is no support for this. So as an Apex / SOQL sel
Simplifying usage of Salesforce Lightning Design System using NPM and Express
Wed, Jun 14th 2017 12:36p   Mikkel Heisterberg
Using Salesforce Lightning Design System (SLDS) is a great and easy way to add some super nice styling to your app. It comes with some nice defaults and a responsive grid system like other frameworks lige Bootstrap. Where SLDS really shines is of course if you are already using Salesforce (I assume you're already on Lightning right?!!?!?) or if you are going to. And again who isn't. Anyways... Using SLDS makes your apps really look like Salesforce which is nice for Salesforce Lightning Compone

Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition