So, I've gone through the information on SCN regarding how to enable OAuth 2.0 for an OData service. I've used the following article:
- OAuth 2.0: Constrained Authorization and SSO for OData Services
I set up an OAuth 2.0 Client, set-up an Identity Provider, added scopes, etc. I am still able to hit the OData endpoint despite having it set to use OData. I am not required to use authorization, and I'm expecting it to say I can't access it. But I have a few inklings as to why, and I want to confirm these and ask for help:
- Is SSL required to test the OAuth calls to OData services? We currently do not have this on our development sandbox, and this is where I'm doing some testing.
- Are Resource Owner Authorization Configurations required? Is this why the service isn't restricting me?
- Do I need to set something in SICF on the service to enable OAuth to work?
Keep in mind, this is all for the SAML Bearer Assertion Flow.