Here is the Sequence Diagram of OAuth Wrap Web App Profile (Section 5.4).
Hope the spec to include such instead of legacy ascii diagram…
websequencediagrams.com source would do.
- wrap_client_id and wrap_client_secret are provisioned from the AuthzServer to the WebAppClient in advance.
- An Access Token is an opaque string whose format is agreed upon between the Resource and AuthzServer. It acts as a Bearer Token.
- All the communication is done over HTTPS so signatures are said to be unnecessary. (I am skeptical on it though. [*1])