I have built a Fiddle on JSFiddle which retrieves an OAuth access token via Foursquare's "token" response type. One or two days ago this was working fine. When "Login with Foursquare" was clicked Foursquare's authorization page appeared and I was able to get an access_token. Today I get an error that says "Refused to display document because display forbidden by X-Frame-Options." I have contacted JSFiddle to see if they have changed their X-Frame-Options headers, but I believe it is the iframed page that specifies that header. What is Foursquare's policy about OAuth inside iframes and has it changed recently?
Here is my Fiddle
Create an iframe where you want to display authentication page and give it a unique name. Just make sure that the iframe is rendered in the DOM before redirecting a user. Now, set a target on your <a> or <form> element, depending on how you redirect a user.
Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. After all, this is what the token is providing access to.
Nothing prevents a frontend web application from running a PKCE-based Authorization Code flow. Because of all these reasons, the OAuth 2.0 Security Best Current Practice considers the Implicit flow to be deprecated.
Use CURL to run the following OAuth ROPC command in a shell terminal to obtain an access token.
We, at Foursquare, have updated our OAuth flow to not support embedding in iFrames. This is recommended by the OAuth 2 spec.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With