OAuth 2.0 — What's new?
-
29-09-2019 - |
Question
Could someone enumerate the main differences between OAuth 2.0 and previous versions? Or point me to good documentation. (Not the full OAuth 2.0 Protocol draft; I don't have time to read it.)
Solution
The main difference between 1.0 and 2.0 is scale. Everything else is much less significant. 2.0 was designed from the ground up for Google/Facebook/Multinational-telecom scale by optimizing each step and each credential.
In OAuth 1.0, every request requires two secrets and a complex request normalization to produce the signature. It has a broken nonce/timestamp logic that no one implements properly (best kept secret in the industry is that Twitter is probably the only provider checking nonce values with a 15 minute clock skew for time stamps).
OAuth 2.0 is being much more honest about desktop and mobile clients, registration requirements, and the protocol's limitations. The specification is a bit more complex due to the much bigger list of requirements and the new abstraction layer called authorization grants.
OTHER TIPS
Check this article for a short summary of the changes introduced with OAuth 2.0 (and reasons for the changes): http://hueniverse.com/2010/05/introducing-oauth-2-0/
Here's another short and readable summary: http://blog.apigee.com/detail/oauth_differences/
(To sum up, more simplicity is what's new.)