That's correct, the OAuth protocol is only defined over HTTP. This
constitutes the overwhelming majority of use cases, and the specifics of
HTTP operation are central to the assumptions made in OAuth's design.
While it's plausible that the interactions between the parties could
take place over some other protocol, this is outside the scope of the
core definition, and such use is considered an extension. For instance,
there's a method for presenting an OAuth bearer token over SASL:
http://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth
This extension doesn't define a method of getting a token, but it does
define a method of presenting a token over a non-HTTP protocol.
Hope this helps,
-- Justin
On 11/14/2012 09:51 AM, dgq2011 wrote:
Hi, all! It is said in RFC 6749 (The OAuth 2.0 Authorization
Framework) that “this specification is designed for use with HTTP
([RFC2616])” and “The use of OAuth over any protocol other than HTTP
is out of scope.” Do those statements mean that the communication
between any two roles in OAuth protocol (namely resource owner,
resource server, client and authorization server) is based on HTTP
protocol? I am not familiar with the OAuth protocol and just would
like to confirm this question. Any response is appreciated!
Best wishes!
Guangqing Deng
------------------------------------------------------------------------
dgq2011
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
