Could someone enumerate the main differences between OAuth 2.0 and previous versions? Or point me to good documentation. (Not the full OAuth 2.0 Protocol draft; I don't have time to read it.)
The main difference between 1.0 and 2.0 is scale. Everything else is much less significant. 2.0 was designed from the ground up for Google/Facebook/Multinational-telecom scale by optimizing each step and each credential.
In OAuth 1.0, every request requires two secrets and a complex request normalization to produce the signature. It has a broken nonce/timestamp logic that no one implements properly (best kept secret in the industry is that Twitter is probably the only provider checking nonce values with a 15 minute clock skew for time stamps).
OAuth 2.0 is being much more honest about desktop and mobile clients, registration requirements, and the protocol's limitations. The specification is a bit more complex due to the much bigger list of requirements and the new abstraction layer called authorization grants.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With