Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When OAuth1.0A works fine, then why is OAuth 2.0?

Tags:

oauth

Lately I have been reading lots regarding the OAuth (Open Authorization) protocol. I have come to understand following points: OAuth 1.0A : It uses digital Signature (mitigates the phising) and recommends the use of TLS/SSL (mitigates the man-in-middle-attack) and practically all those Service Providers using OAuth 1.0A are using TLS/SSL. Due to implementation of digital signature and TLS/SSL, OAuth 1.0A is more secure, forgiving the hard times of getting digital signature correct. Yet many had implemented OAuth 1.0A -the paradox. OAuth 2.0: This is relatively new, but entirely non-compatible with the earlier one (i.e OAuth 1.0 (A) ), does not use digital signature due to the hard times faced in getting it correct 100% instead it uses SSL/TLS and bearers token (i.e the holder of the token can do anything). Best thing about OAuth 2.0 is that it has differentiated the different grant flows which in OAuth 1.0 is all merged together. And non-interoperability is yet another issue with the OAuth 2.0 (i guess it will lead to more division..just my guess).

In many ways I find OAuth 1.0A is better than OAuth 2.0, from what I have learnt so far. Now can anyone shed some light on this, why OAuth 2.0 is encouraged when OAuth 1.0A is better (better in the sense that it is more secure).

Thanks.

like image 831
SIGNO Avatar asked Nov 03 '22 22:11

SIGNO


1 Answers

There's a funny thing about your last statement. "Better in the sense that it is more secure"

That was exactly the OAuth problem. They made it so complex and secure that many people/apps cant just use it. OAuth 2.0 is not as secure but it was made to be easily handled.

like image 125
Francisco Afonso Avatar answered Jan 04 '23 15:01

Francisco Afonso