668
edits
Changes
no edit summary
* OAuth 1.0 was optimized for token establishment and API-call authentication by HMAC, while OAuth 2.0 is optimized for authentication by bearer tokens over SSL. Both are capable of bearer tokens, but OAuth 1.0's master-secret-in-every-call requirement makes that awkward. RSA signatures can be used in OAuth 1.0, but are not supported in 2.0. HMAC signatures of API calls are supported in OAuth 2.0 with a greatly simplified canonicalization algorithm, but does not appear to be in use by providers at this point.
== Potential Designs of OAuth Consumers == === Web-based === === Device-based === === Hybrid === == Risks and Mitigations ==