I'm not sure if you are coming from the user or service perspective. So if a user asks for HTTPS do you have to support HTTPS? If a service asks for HTTPS do you have to support it? Or do you just fail?
From: [email protected] [mailto:[email protected]] On Behalf Of Allen Tom Sent: Tuesday, April 06, 2010 11:27 AM To: [email protected] Subject: [OAUTH-WG] HTTPS requirement for using an Access Token without signatures One of the biggest differences between OAuth2 and WRAP is that OAuth2 requires that Protected Resources be accessed using HTTPS if no signature is being used. Bullet Point #2 in Section 1.2 says: 4. Don't allow bearer tokens without either SSL and/or signatures. While some providers may offer this ability, they should be out of spec for doing so though technically it won't break the flows. While I personally think that requiring SSL is a fantastic idea, and it's very hard for me to argue against it, however.... One of the goals for WRAP was to define a standard AuthZ interface for APIs which matched what we currently have on the Web. WRAP protected APIs are intended to be a replacement for screen scraping. On the web, almost all websites implement Cookie Auth. Specifically, when you log into a website, the browser is issued a bearer token, called a Cookie, and the browser is able to access Protected Resources by using the Cookie as the credential. The WRAP access token is intended to be a direct replacement for the HTTP Cookie. A client should be able to present its bearer token (a WRAP Access Token or an HTTP Cookie) without having to sign the request. While I certainly think that requiring SSL would be a huge improvement in internet security, HTTP does not require SSL, and since WRAP was intended to be a replacement for HTTP Cookie Auth, then OAuth2 should also not require HTTPS. Yes, dropping the SSL requirement isn't optimal, but again the intent with WRAP was to replace HTTP Cookie auth, and it should be up to the service provider to require HTTPS when applicable. Allen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
