Is HMAC necessary if all API calls are made through https?
If all api calls are sent through https, does HMAC add any extra security? For example, in oauth 2, the client sends its secret key to the provider without any hashing whatsoever. Is this considered secure because it's over https? While not strictly oauth, would using HMAC on this call make oauth 2 more secure? If so, why isn't that a standard part of oauth 2?
Answer
The OAuth 2 standard requires that the authorization server MUST use HTTPS on all of its endpoints and the client SHOULD use a callback protected with HTTPS. Since message contents (headers, query parameters and fragments considering OAuth) are known only by the server and the client, usage of an HTTPS connection is considered to be safe. Thus there's no gain using a separate signature for authorization request, that's why such signatures are not even mentioned in the standard.
This not necessarily hold for the response though. If the client receives the authorization response to an unprotected callback, then it cannot verify its validity. In such cases, an attacker can send arbitrary authorization results to the client. Adding a signature with the callback parameters, you may avoid this. However, it seems to be a better solution to use mutual client/server authentication with a HTTPS callback instead.
While there's no real gain using signatures during authorization, they may be useful to access protected resources to avoid stealing access tokens. This is why the MAC token type is in the standard, see section 7.1.