Layer 7 API Management

Expand all | Collapse all

How to enable https as callback scheme?

Jump to Best Answer
  • 1.  How to enable https as callback scheme?

    Posted 11-16-2016 08:53 PM

    Hey there,   

     

    We are using CA OTK 3.4 and we got 404 resource not found error when using https as the callback scheme. For example, callback like "https://www.facebook.com" will fail, but "http://www.facebook.com" works. 

     

    Please advise how to enable https as the callback scheme. 

     

    Thanks,

    Peter



  • 2.  Re: How to enable https as callback scheme?
    Best Answer

    Posted 11-17-2016 12:02 PM

    Hi peterwuny,

     

    I am not familiar with any additional steps to use HTTPS vs HTTP for the redirect. Once the resource owner is authorized the policy simply does a 302 redirect to your callback URL (via the location header).

     

    Does this only occur with Facebook as the redirect_uri? I noticed when using the developer tools in Chrome facebook sends a link to self XSS attacks:

     

    Don't Be a Self XSS Victim 

     

    I also see that http://www.facebook.com actually does a 307 redirect to the HTTPS site (using HSTS). With a 307 it sends through the original HTTP method to the redirect location. The redirect_uri should point to a location you have contriol over so you can retrieve the authroization code or access token, I would suggest trying a different HTTPS location to confirm the behavior.

     

    Regards,

    Joe