668
edits
Changes
→Differences between OAuth 1.0 and 2.0
* OAuth 1.0 is optimized for using HMAC during token establishment and API calls, while OAuth 2.0 is optimized for bearer tokens over SSL (essentially, passwords over an encrypted channel.) OAuth 1.0 is technically capable of bearer tokens, but no one uses this because it would require sending the master-secret in every call. RSA signatures can be used in OAuth 1.0 instead of HMAC, but few providers support it, and the option has gone away in OAuth 2.0. HMAC signatures of API calls are supported in OAuth 2.0 with a simplified canonicalization algorithm, but do not appear to be in use by providers at this point.
* OAuth 1.0 encourages the use of long-lasting user tokens, while OAuth 2.0 encourages the use of short-term user tokens with a built-in refresh mechanism. The refresh mechanism in OAuth 2.0 requires the consumer's master secret. This refresh design is most useful when user tokens are built to be self-verifiable (e.g. containing their own signature), so that large-scale OAuth deployments can scale horizontally more easily.
== Designs of OAuth Consumers ==
