Houman
Reputation: 66320
Is https necessary when using Oauth2.0?
Our users can only use Facebook Oauth2.0 to signup and connect with our service on google app engine.
Is it in this case even necessary to have the connection secured over https? Would the secret token be still in danger to be sniffed by a man-in-the-middle-attack? Or can we leave it by that?
Usually https is a must if username/passwords are used to protect plain passwords over the wire. Not so sure about oauth 2.0.
Thanks,
Upvotes: 1
Views: 70
Answers (1)
Peter Knego
Reputation: 80340
Yes it's necessary. Secure token is a credential as much as username/password are. If someone sniffs it out they can hijack users session for as long as token is valid.
Upvotes: 4
Related Questions
- Google app engine - login with Google, Facebook
- Does Facebook SDK require HTTPS?
- Do I need a HTTPS for application that uses Facebook API?
- Facebook login in Google Cloud Endpoints
- Are Oauth2 client apps required to have SSL connection?
- Is SSL required for Oauth?
- Implementing OAuth2 Facebook login without http.Redirect
- Facebook OAuth 2.0 and https redirect URL
- Does Facebook actually support OAuth 2.0?
- Does an OAuth 2 client really need TLS?