Important Breaking Change: Framing the OAuth Flow


(Spencer Hunter) #1

As developers we have a shared responsibility to help our users stay safe. In order to align with the OAuth2 spec and continue iterating on our security standards, beginning March 31, 2016 we will no longer support the OAuth flow to occur within an iframe. With the exception of Dwolla White Label and the Off-site Gateway (i.e. Dwolla Forms), this change will occur site-wide, prohibiting the use of Dwolla web pages to be rendered within an iframe.

Beginning on March 31, if you have not made the necessary changes to transition out of iframing, you will be met with an error message that reads similar to:

“Refused to display ‘https://www.dwolla.com’ in a frame, because it set ‘X-Frame-Options’ to ‘DENY’.”

As an alternative to iframing the OAuth flow, we recommend either redirecting the user to Dwolla within the same window, or popup a new window to complete the authorization process.

For additional guidance on how to make these changes, please don’t hesitate to reach out!

If you’re looking for a custom account creation and payment flow, with more control over the user experience and branding, check out White Label functionality in API v2.


Load denied by X-Frame-Options
(Spencer Hunter) #2

Update - This has just been released to production