Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Am I right in thinking OAuth 1.0 has been deprecated in favour of OAuth 2.0?

I was looking for some information on the Internet about that and ended up on the RFC for The Oauth 1.0 Protocol: https://www.rfc-editor.org/rfc/rfc5849

You can read "Obsoleted by: 6749" at the top of it and if you follow that link, you end up on the The OAuth 2.0 Authorization Framework RFC.

Based on that, can I safely infer that OAuth 1.0 has been deprecated in favour of OAuth 2.0?

Thanks.

like image 889
Dan Avatar asked Jul 16 '13 14:07

Dan


People also ask

Is OAuth 1.0 A deprecated?

Important: OAuth 1.0 has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 as soon as possible.

Is OAuth 1.0 still used?

On December 17th, 2019, Intuit will discontinue all support for OAuth 1.0 and OpenID 2.0 was deprecated on May 31, 2019. After December 17th, 2019, applications will no longer be allowed to make API calls using OAuth 1.0 and no OpenID 2.0 API calls after May 31, 2019.

Why is OAuth 2.0 better?

Integrating OAuth 2.0 into your app has several benefits: It allows you to read data of a user from another application. It supplies the authorization workflow for web, desktop applications, and mobile devices. Is a server side web app that uses authorization code and does not interact with user credentials.

Is OAuth outdated?

To ensure you and your customers have a seamless experience, you'll need to move to OAuth 2.0 before OAuth 1.0a is deprecated. Partner and public apps have until 31 March 2021 to migrate, while existing private apps will continue to be supported until later this year.


2 Answers

Yes and No.

IETF has published a new version of OAuth 2 obsoleting OAuth 1.x and it strongly recommends the new Auth providers switch to OAuth2.

There is a revision to OAuth 1.0a which fixes many of the security flaws found in 1.0 and is widely considered to be the most secure OAuth version yet.

OAuth2 is a completely new protocol and is not backwards compatible with OAuth 1.x. The major differences with respect to OAuth 1 are listed in this thread.

However, not everyone is as happy with the new standard. Eran Hammer-Lahav, the lead author and editor of OAuth specifications, resigned from the committee citing reasons in this blog post.

Homakov, who rose to fame with his exploit on Github, has not so nice things to say about OAuth 2.

So yes, OAuth 2 has officially replaced OAuth 1.x, but there are conflicting opinions on the net on whether one should use OAuth2 or stick with OAuth 1.0a.

like image 67
anfab Avatar answered Sep 30 '22 05:09

anfab


Yes )

The most of companies use 2.0 - for example google:

Important: OAuth 1.0 has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 as soon as possible.

but there are some using 1.0 or 1.0a as you can see wiki: OAuth in the chapter List of OAuth service providers

There is also an official information that 1.0 is deprecated RFC 6749: The OAuth 2.0 Authorization Framework

.. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.

And RFC 5849 is The OAuth 1.0 Protocol

like image 21
MikroDel Avatar answered Sep 30 '22 07:09

MikroDel