OAuth Wrap Web App Profile Summary

Here is the Sequence Diagram of OAuth Wrap Web App Profile (Section 5.4).

Hope the spec to include such instead of legacy ascii diagram…
websequencediagrams.com source would do.


  1. wrap_client_id and wrap_client_secret are provisioned from the AuthzServer to the WebAppClient in advance.
  2. An Access Token is an opaque string whose format is agreed upon between the Resource and AuthzServer. It acts as a Bearer Token.
  3. All the communication is done over HTTPS so signatures are said to be unnecessary. (I am skeptical on it though. [*1])