On Tue, Apr 6, 2010 at 11:26 AM, Allen Tom <a...@yahoo-inc.com> wrote:
> One of the biggest differences between OAuth2 and WRAP is that OAuth2 > requires that Protected Resources be accessed using HTTPS if no signature is > being used. Bullet Point #2 in Section 1.2 says: > > 4. Don't allow bearer tokens without either SSL and/or signatures. > While some providers may offer this ability, they should be out > of spec for doing so though technically it won't break the flows. > > While I personally think that requiring SSL is a fantastic idea, and it’s > very hard for me to argue against it, however.... > > One of the goals for WRAP was to define a standard AuthZ interface for APIs > which matched what we currently have on the Web. WRAP protected APIs are > intended to be a replacement for screen scraping. > > On the web, almost all websites implement Cookie Auth. Specifically, when > you log into a website, the browser is issued a bearer token, called a > Cookie, and the browser is able to access Protected Resources by using the > Cookie as the credential. > > The WRAP access token is intended to be a direct replacement for the HTTP > Cookie. A client should be able to present its bearer token (a WRAP Access > Token or an HTTP Cookie) without having to sign the request. > > While I certainly think that requiring SSL would be a huge improvement in > internet security, HTTP does not require SSL, and since WRAP was intended to > be a replacement for HTTP Cookie Auth, then OAuth2 should also not require > HTTPS. > > Yes, dropping the SSL requirement isn’t optimal, but again the intent with > WRAP was to replace HTTP Cookie auth, and it should be up to the service > provider to require HTTPS when applicable. > I tend to agree that this is a SHOULD and not a MUST. There is a wide range of types of protected resources, and many of these resources are already available over HTTP connections. It probably should be a choice by the authorization endpoint whether to allow non-HTTPS access. > Allen > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
