One of the biggest differences between OAuth2 and WRAP is that OAuth2 requires that Protected Resources be accessed using HTTPS if no signature is being used. Bullet Point #2 in Section 1.2 says:
4. Don't allow bearer tokens without either SSL and/or signatures. While some providers may offer this ability, they should be out of spec for doing so though technically it won't break the flows. While I personally think that requiring SSL is a fantastic idea, and it¹s very hard for me to argue against it, however.... One of the goals for WRAP was to define a standard AuthZ interface for APIs which matched what we currently have on the Web. WRAP protected APIs are intended to be a replacement for screen scraping. On the web, almost all websites implement Cookie Auth. Specifically, when you log into a website, the browser is issued a bearer token, called a Cookie, and the browser is able to access Protected Resources by using the Cookie as the credential. The WRAP access token is intended to be a direct replacement for the HTTP Cookie. A client should be able to present its bearer token (a WRAP Access Token or an HTTP Cookie) without having to sign the request. While I certainly think that requiring SSL would be a huge improvement in internet security, HTTP does not require SSL, and since WRAP was intended to be a replacement for HTTP Cookie Auth, then OAuth2 should also not require HTTPS. Yes, dropping the SSL requirement isn¹t optimal, but again the intent with WRAP was to replace HTTP Cookie auth, and it should be up to the service provider to require HTTPS when applicable. Allen
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
