We are using CA OTK 3.4 and we got 404 resource not found error when using https as the callback scheme. For example, callback like "https://www.facebook.com" will fail, but "http://www.facebook.com" works.
Please advise how to enable https as the callback scheme.
I am not familiar with any additional steps to use HTTPS vs HTTP for the redirect. Once the resource owner is authorized the policy simply does a 302 redirect to your callback URL (via the location header).
Does this only occur with Facebook as the redirect_uri? I noticed when using the developer tools in Chrome facebook sends a link to self XSS attacks:
Don't Be a Self XSS Victim
I also see that http://www.facebook.com actually does a 307 redirect to the HTTPS site (using HSTS). With a 307 it sends through the original HTTP method to the redirect location. The redirect_uri should point to a location you have contriol over so you can retrieve the authroization code or access token, I would suggest trying a different HTTPS location to confirm the behavior.