OAuth not working inside an iframe

Jesse Hattabaugh picture Jesse Hattabaugh · Jan 31, 2012 · Viewed 16.3k times · Source

I have built a Fiddle on JSFiddle which retrieves an OAuth access token via Foursquare's "token" response type. One or two days ago this was working fine. When "Login with Foursquare" was clicked Foursquare's authorization page appeared and I was able to get an access_token. Today I get an error that says "Refused to display document because display forbidden by X-Frame-Options." I have contacted JSFiddle to see if they have changed their X-Frame-Options headers, but I believe it is the iframed page that specifies that header. What is Foursquare's policy about OAuth inside iframes and has it changed recently?

Here is my Fiddle

Answer

akdotcom picture akdotcom · Feb 1, 2012

We, at Foursquare, have updated our OAuth flow to not support embedding in iFrames. This is recommended by the OAuth 2 spec.