Home/ Questions/Q 5946043
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T16:46:00+00:00

I’m attempting to implement OAuth2 in an AIR app that’s running WebKit. When the

  • 0

I’m attempting to implement OAuth2 in an AIR app that’s running WebKit. When the app starts, a local page is rendered (app:/login.html) which loads an iframe pointing to a remote site. The remote site presents a login page, and upon submitting, should redirect back to app:/authenticated.html#access_token=1234xyz. It appears that WebKit is barfing on the URL and not causing the iframe to redirect. Redirects for URIs outside of the app:/ scheme appear to work.

From the server’s perspective, everything looks alright, as the command:

$ curl -k -v -d"email=bazquux@foo.bar.com&password=blah" "https://foo.bar.com/oauth2/authorization?client_id=dd9766fc8042e70777b8857bee70f996&edirect_uri=app%3A%2Fauthenticated.html&response_type=token"

results in the following exchange (note the Location header is correct):

> POST /oauth2/authorization?client_id=dd9766fc8042e70777b8857bee70f996&redirect_uri=app%3A%2Fauthenticated.html&response_type=token HTTP/1.1
> User-Agent: curl/7.21.2 (x86_64-apple-darwin10.3.1) libcurl/7.21.2 OpenSSL/1.0.0d zlib/1.2.5 libidn/1.19
> Host: foo.bar.com
> Accept: */*
> Content-Length: 40
> Content-Type: application/x-www-form-urlencoded
> 
< HTTP/1.1 302 Found
< Server: nginx/0.8.53
< Date: Mon, 23 May 2011 22:39:54 GMT
< Content-Type: text/html; charset=utf-8
< Connection: close
< Status: 302
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.0
< Location: app:/authenticated.html#access_token=44fab26915308753fd78ddd9e68c7a9c&expires_in=899&token_type=bearer
< X-Runtime: 1492
< Content-Length: 176
< Pragma: no-cache
< Set-Cookie: _session=BAh7BzoPc2Vzc2lvbl9pZCIlNWRmMDM5NWFmNDk0YjYxZDkwNDEzNGU1MzE2YzAwOTM6C3RlbmFudGkK--4e08d61ae521cf41f9f69b2257ad7599a675f35a; path=/; HttpOnly
< Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0
< Expires: Thu, 01 Jan 1970 00:00:00 +0000
< 
<html><body>You are being <a href="app:/authenticated.html#access_token=44fab26915308753fd78ddd9e68c7a9c&amp;expires_in=899&amp;token_type=bearer">redirected</a>.</body></html>

Any ideas as to how to get this working?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    After doing some reading, this sounds a lot like you’re running into the Adobe AIR sandbox walls.

    The iframe content may be in the ‘remote’ sandbox, while the content addressable via the app:/ scheme is probably in the more privileged ‘application’ sandbox.

    You might try the suggestions for crossing sandbox boundaries suggested by the AIR security docs.

    • 0