Hi Guangqing, RFC 6749 should have explained this a bit more.
RFC 6749 uses HTTPS to interact with an authorization server to obtain access tokens (among other things). RFC 4749 does, however, not specify what protocol is used to present these access tokens to a resource server. RFC 6750 explains how this is done for resource servers that use HTTP. There is, however, also ongoing work to provide OAuth support for non-HTTP-based protocol, see http://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-08. SASL and the GSS-API is used for integrating OAuth into a range of protocols. Ciao Hannes On Nov 14, 2012, at 9:51 AM, dgq2011 wrote: > Hi, all! It is said in RFC 6749 (The OAuth 2.0 Authorization Framework) that > “this specification is designed for use with HTTP ([RFC2616])” and “The use > of OAuth over any protocol other than HTTP is out of scope.” Do those > statements mean that the communication between any two roles in OAuth > protocol (namely resource owner, resource server, client and authorization > server) is based on HTTP protocol? I am not familiar with the OAuth protocol > and just would like to confirm this question. Any response is appreciated! > > > Best wishes! > Guangqing Deng > dgq2011 > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
