Question

Could someone enumerate the main differences between OAuth 2.0 and previous versions? Or point me to good documentation. (Not the full OAuth 2.0 Protocol draft; I don't have time to read it.)

Was it helpful?

Solution

The main difference between 1.0 and 2.0 is scale. Everything else is much less significant. 2.0 was designed from the ground up for Google/Facebook/Multinational-telecom scale by optimizing each step and each credential.

In OAuth 1.0, every request requires two secrets and a complex request normalization to produce the signature. It has a broken nonce/timestamp logic that no one implements properly (best kept secret in the industry is that Twitter is probably the only provider checking nonce values with a 15 minute clock skew for time stamps).

OAuth 2.0 is being much more honest about desktop and mobile clients, registration requirements, and the protocol's limitations. The specification is a bit more complex due to the much bigger list of requirements and the new abstraction layer called authorization grants.

OTHER TIPS

Check this article for a short summary of the changes introduced with OAuth 2.0 (and reasons for the changes): http://hueniverse.com/2010/05/introducing-oauth-2-0/

Here's another short and readable summary: http://blog.apigee.com/detail/oauth_differences/

(To sum up, more simplicity is what's new.)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top