Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth not working inside an iframe

I have built a Fiddle on JSFiddle which retrieves an OAuth access token via Foursquare's "token" response type. One or two days ago this was working fine. When "Login with Foursquare" was clicked Foursquare's authorization page appeared and I was able to get an access_token. Today I get an error that says "Refused to display document because display forbidden by X-Frame-Options." I have contacted JSFiddle to see if they have changed their X-Frame-Options headers, but I believe it is the iframed page that specifies that header. What is Foursquare's policy about OAuth inside iframes and has it changed recently?

Here is my Fiddle

like image 220
Jesse Hattabaugh Avatar asked Jan 31 '12 03:01

Jesse Hattabaugh


People also ask

How do I authenticate an iframe?

Create an iframe where you want to display authentication page and give it a unique name. Just make sure that the iframe is rendered in the DOM before redirecting a user. Now, set a target on your <a> or <form> element, depending on how you redirect a user.

Why OAuth Cannot be used for authentication?

Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. After all, this is what the token is providing access to.

Is the OAuth 2.0 implicit flow dead?

Nothing prevents a frontend web application from running a PKCE-based Authorization Code flow. Because of all these reasons, the OAuth 2.0 Security Best Current Practice considers the Implicit flow to be deprecated.

Does Curl support OAuth?

Use CURL to run the following OAuth ROPC command in a shell terminal to obtain an access token.


1 Answers

We, at Foursquare, have updated our OAuth flow to not support embedding in iFrames. This is recommended by the OAuth 2 spec.

like image 84
akdotcom Avatar answered Sep 23 '22 06:09

akdotcom