3
我試圖在運行WebKit的AIR應用中實現OAuth2。當應用程序啓動時,呈現本地頁面(app:/login.html),該頁面加載指向遠程站點的iframe。遠程站點顯示一個登錄頁面,一旦提交,應該重定向迴應用程序:/authenticated.html#access_token=1234xyz。看起來,WebKit正在對URL進行攻擊並且不會導致iframe重定向。重定向URI之外的URI:/方案似乎可以正常工作。從WebKit iframe中的遠程URI重定向到AIR應用:/ scheme
從服務器的角度來看,一切都看起來還好,因爲命令:
$ curl -k -v -d"[email protected]&password=blah" "https://foo.bar.com/oauth2/authorization?client_id=dd9766fc8042e70777b8857bee70f996&edirect_uri=app%3A%2Fauthenticated.html&response_type=token"
導致以下交換(注意Location頭是正確的):
> POST /oauth2/authorization?client_id=dd9766fc8042e70777b8857bee70f996&redirect_uri=app%3A%2Fauthenticated.html&response_type=token HTTP/1.1
> User-Agent: curl/7.21.2 (x86_64-apple-darwin10.3.1) libcurl/7.21.2 OpenSSL/1.0.0d zlib/1.2.5 libidn/1.19
> Host: foo.bar.com
> Accept: */*
> Content-Length: 40
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 302 Found
< Server: nginx/0.8.53
< Date: Mon, 23 May 2011 22:39:54 GMT
< Content-Type: text/html; charset=utf-8
< Connection: close
< Status: 302
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.0
< Location: app:/authenticated.html#access_token=44fab26915308753fd78ddd9e68c7a9c&expires_in=899&token_type=bearer
< X-Runtime: 1492
< Content-Length: 176
< Pragma: no-cache
< Set-Cookie: _session=BAh7BzoPc2Vzc2lvbl9pZCIlNWRmMDM5NWFmNDk0YjYxZDkwNDEzNGU1MzE2YzAwOTM6C3RlbmFudGkK--4e08d61ae521cf41f9f69b2257ad7599a675f35a; path=/; HttpOnly
< Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0, s-maxage=0
< Expires: Thu, 01 Jan 1970 00:00:00 +0000
<
<html><body>You are being <a href="app:/authenticated.html#access_token=44fab26915308753fd78ddd9e68c7a9c&expires_in=899&token_type=bearer">redirected</a>.</body></html>
任何想法如何得到這個工作?