Am I right in thinking OAuth 1.0 has been deprecated in favour of OAuth 2.0?

Question

I was looking for some information on the Internet about that and ended up on the RFC for The Oauth 1.0 Protocol: https://www.rfc-editor.org/rfc/rfc5849

You can read "Obsoleted by: 6749" at the top of it and if you follow that link, you end up on the The OAuth 2.0 Authorization Framework RFC.

Based on that, can I safely infer that OAuth 1.0 has been deprecated in favour of OAuth 2.0?

Thanks.

Answer 1

Yes and No.

IETF has published a new version of OAuth 2 obsoleting OAuth 1.x and it strongly recommends the new Auth providers switch to OAuth2.

There is a revision to OAuth 1.0a which fixes many of the security flaws found in 1.0 and is widely considered to be the most secure OAuth version yet.

OAuth2 is a completely new protocol and is not backwards compatible with OAuth 1.x. The major differences with respect to OAuth 1 are listed in this thread.

However, not everyone is as happy with the new standard. Eran Hammer-Lahav, the lead author and editor of OAuth specifications, resigned from the committee citing reasons in this blog post.

Homakov, who rose to fame with his exploit on Github, has not so nice things to say about OAuth 2.

So yes, OAuth 2 has officially replaced OAuth 1.x, but there are conflicting opinions on the net on whether one should use OAuth2 or stick with OAuth 1.0a.

Answer 2

Yes )

The most of companies use 2.0 - for example google:

Important: OAuth 1.0 has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 as soon as possible.

but there are some using 1.0 or 1.0a as you can see wiki: OAuth in the chapter List of OAuth service providers

There is also an official information that 1.0 is deprecated RFC 6749: The OAuth 2.0 Authorization Framework

.. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.

And RFC 5849 is The OAuth 1.0 Protocol