Is HMAC necessary if all API calls are made through https?
If all api calls are sent through https, does HMAC add any extra security? For example, in oauth 2, the client sends its secret key to the provider without any hashing whatsoever. Is this considered secure because it's over https? While not strictly oauth, would using HMAC on this call make oauth 2 more secure? If so, why isn't that a standard part of oauth 2?
The OAuth 2 standard requires that the authorization server MUST use HTTPS on all of its endpoints and the client SHOULD use a callback protected with HTTPS. Since message contents (headers, query parameters and fragments considering OAuth) are known only by the server and the client, usage of an HTTPS connection is considered to be safe. Thus there's no gain using a separate signature for authorization request, that's why such signatures are not even mentioned in the standard.
This not necessarily hold for the response though. If the client receives the authorization response to an unprotected callback, then it cannot verify its validity. In such cases, an attacker can send arbitrary authorization results to the client. Adding a signature with the callback parameters, you may avoid this. However, it seems to be a better solution to use mutual client/server authentication with a HTTPS callback instead.
While there's no real gain using signatures during authorization, they may be useful to access protected resources to avoid stealing access tokens. This is why the MAC token type is in the standard, see section 7.1.
HMAC is for authentication that determining who you are, https is for security of transport that ensure on one in the middle can see the content of your transport.
Oauth 2 authorization server use secret key or password determining who you are. Oauth2 resource server use token from authorization server determining who you are. Using https or not depends on whether you want to protect your secret key and tokens.