Is HTTPS required for OAuth?

williamspaul-1 · 12-15-2016 05:44 PM

Yes, I know that OAuth specification requires HTTPS -- I'm asking if the Apigee Policy implementation of OAuth (specifically in this case the Verify API Key policy, but generally all of the OAuth policies) requires it, or if there's a way to neuter that check.

I'm trying to implement OAuth2.0 using the standard OAuth policy tools, but I keep getting the `oauth.v2.InvalidApiKey` when trying to access the login-app from the webserver-app.

After scratching my head a bit, and verifying the credentials 3-4 times, I decided to trace. I found that in the trace, there is the following information

This seems to indicate that there's no failure in verifying the api key itself. But I did notice the expression `virtualhost.ssl.enabled equals true`, which is not the case here (POC environment uses HTTP, not HTTPS)

So friends, the question is twofold:

Does Edge require HTTPS for OAuth2?
If so, is there a way for the purposes of demonstration to kill that check?

ssvaidyanathan

Hi @Paul Williams

I deployed a proxy on default virtual host with a VerifyAPIKey policy pointing to a mock target. I was able to make a call on http

williamspaul-1

Discovered that the restriction isn't in the VerfiyAPIKey policy per se, but rather baked into assumptions that the sample login app was using.

In the register.js file, there's some places where not only HTTPS is assumed, but also ports, and the construction of host names.

Again, this all works fine for cloud, just requires some tweaking for on-prem installations.