I intend to build a delegated login system for an existing app. I’ll be implementing both the OAuth client (in a web application) and the OAuth server (a simple authorization and resource server, that really only has a ‘user’ resource for now.)

With that in mind, I came across the following section in the current OAuth 2 draft (version 22):

3.1.2.1.  Endpoint Request Confidentiality

   If a redirection request will result in the transmission of an
   authorization code or access token over an open network (between the
   resource owner's user-agent and the client), the client SHOULD
   require the use of a transport-layer security mechanism.

   Lack of transport-layer security can have a severe impact on the
   security of the client and the protected resources it is authorized
   to access.  The use of transport-layer security is particularly
   critical when the authorization process is used as a form of
   delegated end-user authentication by the client (e.g. third-party
   sign-in service).

This specifically warns me that I should be using TLS on the client. We will be using HTTPS on the server, of course, but enabling HTTPS on all clients will be difficult if not impossible.

From my limited understanding of security, I imagine someone could steal the authorization grant. This brings me to my question:

Won’t client authentication (using the client secret) prevent an eavesdropper from using the authorization grant? (Because the malicious party won’t know the client secret, hopefully.)

If it doesn’t, or if there’s another attack vector here I’m not seeing, is there anything I can do to make this work securely without HTTPS on the clients? Would, for example, OAuth 1 help? (Perhaps because it has the additional request token step.)

P.S.: I was planning on doing client authentication using TLS client certificates, rather than secrets, if that makes the situation any better.