668
edits
Changes
→Differences between OAuth 1.0 and 2.0
* OAuth 1.0 credentials for API calls include the consumer's master secret in addition to the user-specific secret, while OAuth 2.0 credentials for API calls require only the user-specific secret.
* OAuth 1.0 was optimized for token establishment and API-call authentication by HMAC, while OAuth 2.0 is optimized for authentication by bearer tokens over SSL. Both are capable of bearer tokens, but OAuth 1.0's master-secret-in-every-call requirement makes that awkward. RSA signatures can be used in OAuth 1.0, but are not supported in 2.0. HMAC signatures of API calls are supported in OAuth 2.0 with a greatly simplified canonicalization algorithm, but does do not appear to be in use by providers at this point.
== Designs of OAuth Consumers ==
