I discovered the other day that there are issues when using Silverlight and setting the Authorization header, the preferred method for sending the oauth parameters to a service.
http://oauth.net/core/1.0a/#consumer_req_param
Silverlight 3.0 does not however let you set the Authorization header.
Silverlight 4 and 5 will let you set the header, but will produce a rather generic exception “System.Security.SecurityException: Security error” if the endpoint does not have a clientaccesspolicy.xml – the cross domain policy defined by Microsoft for use with Silverlight. This file allows for more specific control over the access, and must explicitly allow the use of the Authorization header. Currently services such as Flickr and Twitter do not support the clientaccesspolicy file, only the Adobe crossdomain.xml file.
Silverlight will fall back on to using the crossdomain.xml file, so calls can be made. However it appears the same issue exists with this file too:
http://kb2.adobe.com/cps/403/kb403184.html
Tim Heuer has an article covering how Silverlight and the Client Access Policy file works.
http://timheuer.com/blog/archive/2010/04/23/silverlight-authorization-header-access.aspx
It isn’t clear whether Silverlight would work with a modified crossdomain.xml file that allowed the Authorization header, as Silverlight only supports a subset of the crossdomain.xml file specification (but I can’t find details on which subset).
