Silverlight and the Authorization Header – OAuth

I discovered the other day that there are issues when using Silverlight and setting the Authorization header, the preferred method for sending the oauth parameters to a service.

http://oauth.net/core/1.0a/#consumer_req_param

Silverlight 3.0 does not however let you set the Authorization header.

Silverlight 4 and 5 will let you set the header, but will produce a rather generic exception “System.Security.SecurityException: Security error” if the endpoint does not have a clientaccesspolicy.xml – the cross domain policy defined by Microsoft for use with Silverlight. This file allows for more specific control over the access, and must explicitly allow the use of the Authorization header. Currently services such as Flickr and Twitter do not support the clientaccesspolicy file, only the Adobe crossdomain.xml file.

Silverlight will fall back on to using the crossdomain.xml file, so calls can be made. However it appears the same issue exists with this file too:

http://kb2.adobe.com/cps/403/kb403184.html

Tim Heuer has an article covering how Silverlight and the Client Access Policy file works.

http://timheuer.com/blog/archive/2010/04/23/silverlight-authorization-header-access.aspx

It isn’t clear whether Silverlight would work with a modified crossdomain.xml file that allowed the Authorization header, as Silverlight only supports a subset of the crossdomain.xml file specification (but I can’t find details on which subset).