Layer 7 API Management

Expand all | Collapse all

How to enable https as callback scheme?

Jump to Best Answer
  • 1.  How to enable https as callback scheme?

    Posted 11-16-2016 08:53 PM

    Hey there,   


    We are using CA OTK 3.4 and we got 404 resource not found error when using https as the callback scheme. For example, callback like "" will fail, but "" works. 


    Please advise how to enable https as the callback scheme. 




  • 2.  Re: How to enable https as callback scheme?
    Best Answer

    Posted 11-17-2016 12:02 PM

    Hi peterwuny,


    I am not familiar with any additional steps to use HTTPS vs HTTP for the redirect. Once the resource owner is authorized the policy simply does a 302 redirect to your callback URL (via the location header).


    Does this only occur with Facebook as the redirect_uri? I noticed when using the developer tools in Chrome facebook sends a link to self XSS attacks:


    Don't Be a Self XSS Victim 


    I also see that actually does a 307 redirect to the HTTPS site (using HSTS). With a 307 it sends through the original HTTP method to the redirect location. The redirect_uri should point to a location you have contriol over so you can retrieve the authroization code or access token, I would suggest trying a different HTTPS location to confirm the behavior.