Is HTTPS required for OAuth?

Google Cloud Apigee
1

Yes, I know that OAuth specification requires HTTPS – I’m asking if the Apigee Policy implementation of OAuth (specifically in this case the Verify API Key policy, but generally all of the OAuth policies) requires it, or if there’s a way to neuter that check.

I’m trying to implement OAuth2.0 using the standard OAuth policy tools, but I keep getting the oauth.v2.InvalidApiKey when trying to access the login-app from the webserver-app.

After scratching my head a bit, and verifying the credentials 3-4 times, I decided to trace. I found that in the trace, there is the following information

4080-screen-shot-2016-12-15-at-63556-pm.png
4080-screen-shot-2016-12-15-at-63556-pm.png1778×334 7.5 KB

This seems to indicate that there’s no failure in verifying the api key itself. But I did notice the expression virtualhost.ssl.enabled equals true, which is not the case here (POC environment uses HTTP, not HTTPS)

So friends, the question is twofold:

  1. Does Edge require HTTPS for OAuth2?
  2. If so, is there a way for the purposes of demonstration to kill that check?
2

Hi @Paul Williams

I deployed a proxy on default virtual host with a VerifyAPIKey policy pointing to a mock target. I was able to make a call on http

1 Like
3

Discovered that the restriction isn’t in the VerfiyAPIKey policy per se, but rather baked into assumptions that the sample login app was using.

In the register.js file, there’s some places where not only HTTPS is assumed, but also ports, and the construction of host names.

Again, this all works fine for cloud, just requires some tweaking for on-prem installations.