What is best for auth ASP.NET MVC REST API? OAuth 2.0 or OAuth 1.0?

Question

We are building a REST API using ASP.NET MVC. This API is similar in principle and usage to the Factual v3 API. They use 2-legged Oauth 1 for their API. Our design is very similar in that applications, primarily mobile will use our API behind the scenes to provide a service. The end user of the application will not know about our API, and will therefore not have any credentials. So redirecting the user via a browser window to an auth form (like facebook) does not make any sense. My questions are..

• Why OAuth2 flow is the best to use in this scenario?
• Should we even use Oauth2 or just stick with 2-legged OAuth 1?

For reference we are using C#/.NET, ASP.NET MVC 3 and plan on using DotNetOpenAuth v4.

http://developer.factual.com/display/docs/Factual+Developer+APIs+Version+3

Answer 1

Why OAuth2 flow is the best to use in this scenario?

It isn't, necessarily. OAuth 2 is an unfinalized spec. If you need maximum interoperability, OAuth 1.0 is the better choice (for now). OAuth 2 is simpler for the client, at the expense of significantly added complexity on the server.

Should we even use OAuth2 or just stick with 2-legged OAuth 1?

Use the pros and cons listed above to choose. And also that if you're using DotNetOpenAuth, OAuth 1.0 support has been around for years whereas OAuth 2.0 support isn't fully baked yet so you'd probably hit some road bumps.