Loading
Salesforce now sends email only from verified domains. Read More

How To Configure Connectors on OAuth Callback URL to work on CloudHub

Publish Date: Jul 25, 2025
Task

GOAL

Many connectors supports external APIs with OAuth, for example Box, Slack and etc, using a configuration like the following:
  
<box:config name="Box_Connector" clientId="123" clientSecret="123" doc:name="Box"  >
    <box:oauth-callback-config domain="localhost" localPort="8081" path="box_callback" remotePort="8082"/>
</box:config>
Please refer document for details. 

For the code snippet above for Box connector, we can see the callback URL configuration below:
  
<box:oauth-callback-config domain="localhost" localPort="8081" path="box_callback" remotePort="8082"/>

This means after OAuth authorization, Box will return the token with a callback URL of http://localhost:8082/box_callback.

This works locally, however, when running the application on Cloudhub, there are some restrictions on OAuth callback URL. This article explains how to make the application work on Cloudhub.
Steps

CloudHub exposed URL

CloudHub only exposes 2 ports to public: 8081 and 8082. Public CloudHub load balancer will redirect:
  • HTTP call to http://APPNAME.cloudhub.io to your application worker's http://IP:8081
  • HTTPS call to https://APPNAME.cloudhub.io to your application worker's https://IP:8082

oauth-call-back-config for HTTP

For the oauth-callback-config, if the service provider uses HTTP as callback URL, we can have: 
<box:oauth-callback-config domain="http://APPNAME.cloudhub.io" localPort="${http.port}" path="boxAuth" connector-ref="HTTP_Listener_Configuration" />
Note:
  • domain has to be your CloudHub application full URL
  • localPort needs to be your local exposed port, ${http.port} is for HTTP
  • path is the path of the callback URL, domain name + path needs to match what you set in the OAuth provider
  • connector-ref references the HTTP listener configuration that's already configured in your application

oauth-call-back-config for HTTPS

If the service provider only allows HTTPS, you will need to configure an HTTPS Listener
  
<http:listener-config name="HTTPS_Listener_Configuration" protocol="HTTPS" host="0.0.0.0" port="${https.port}" doc:name="HTTPS Listener Configuration""> 
  <tls:context> 
    <tls:trust-store /> 
    <tls:key-store type="jks" path="certificate.jks" alias="keyAlias" keyPassword="changeit" password="changeit"/> 
   </tls:context> 
</http:listener-config>

<box:config name="Box_Connector" clientId="123" clientSecret="123" doc:name="Box"  >
   <box:oauth-callback-config domain="https://APPNAME.cloudhub.io" localPort="${https.port}" path="boxAuth" connector-ref="HTTPS_Listener_Configuration" /> 
</box:config>

Callback flow

  1. The callback URL, in this case https://APPNAME.cloudhub.io/boxAuth, is returned to the browser.
  2. Browser forwards the call to the callback URL.
  3. The callback URL hits CloudHub load balancer using HTTPS(using Cloudhub's certificate)
  4. CloudHub load balancer forwards the call to your application worker using HTTPS(using your worker's certificate).
Note: CloudHub load balancer does NOT verify worker's certificate so self-signed certificate is fine for this particular use case.
Knowledge Article Number

001114821

 
Loading
Salesforce Help | Article