oauth tutorial - OAuth 1.0 vs OAuth 2.0 - oauth2 tutorial - oauth authentication

Oauth (1.0)

  • In 2006 were no open standards for API access delegation. OAuth was designed to solve the application-to-application security problem. OAuth Core 1.0 was released in 2007.


  • User, Consumer, Service Provider, Protected Resource, Provider API

5 parameters to work with OAuth 1.0

  • Consumer
  • key & Consumer secret
  • Request token URL
  • Authorize URL
  • Access token URL

OAuth 1.0 components

  • Token = Key + Secret Message = Document + Digital Signature Application = Consumer + Access toAPI

OAuth 1.0 Authentication Flow

 OAuth 1.0 Authentication Flow

Learn OAuth - OAuth tutorial - OAuth 1.0 Authentication Flow - OAuth examples - OAuth programs

  • OAuth 1.0 = Fetch Request Token + Redirect to Authorization + Fetch Access Token + Call API + Signature calculated with secret-key

OAuth 2.0

  • OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. OAuth 2.0 is more a framework than it is a defined protocol. OAuth 2.0 is not backwards compatible with OAuth 1.0.

OAuth 1.0 vs OAuth 2.0

Problems of OAuth 1.0

  • Authentication and Signatures on client side User Experience and Alternative Token Issuance Options Performance at Scale

OAuth 2.0 changes:

  • OAuth 2.0 relies completely on SSL for some degree of confidentiality and server authentication. Cryptography-free option for authentication which is based on existing cookie authentication architecture. Simplified signatures Separation of Roles (SSO support) Short-lived tokens with Long-lived authorizations

OAuth 2.0 flows

  • Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.
  • User-Agent Flow – for clients running inside a user-agent (browser).
  • Device Flow – suitable for clients executing on limited devices, but where the end-user has separate access to a browser on another computer or device.
  • Username and Password Flow – used in cases where the user trusts the client to handle its credentials. Client Credentials Flow (JWT) – the client uses its credentials to obtain an access token. This flow supports what is known as the 2legged scenario. Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token.

OAuth2 Web Server Flow

 oauth2 web server flow

Learn OAuth - OAuth tutorial - oauth2 web server flow - OAuth examples - OAuth programs


  • Particular case of Web Server Flow when Client App and Resource Server use the same Authorization Server

OAuth2 User Agent Flow

 oauth2 user agent flow

Learn OAuth - OAuth tutorial - oauth2 user agent flow - OAuth examples - OAuth programs

OAuth2 Resource Owner Password Credentian Flow

 oauth2 resource owner password credentian flow

Learn OAuth - OAuth tutorial - oauth2 resource owner password credentian flow - OAuth examples - OAuth programs

Does OAuth1 better than OAuth2?

  • No, they have different purpose: OAuth1 for server to server communication and OAuth2 for user/device to server

Does OAuth1 more secure than OAuth2?

  • Yes and No
  • OAuth 1.0 may be used without HTTPS
  • But, OAuth2 same secure as SSL

When to use OAuth1 & OAuth2?

  • OAuth 1.0 – server-to-server
  • OAuth 2.0 – browser/device/client-toserver

Related Searches to OAuth 1.0 vs OAuth 2.0

Adblocker detected! Please consider reading this notice.

We've detected that you are using AdBlock Plus or some other adblocking software which is preventing the page from fully loading.

We don't have any banner, Flash, animation, obnoxious sound, or popup ad. We do not implement these annoying types of ads!

We need money to operate the site, and almost all of it comes from our online advertising.

Please add wikitechy.com to your ad blocking whitelist or disable your adblocking software.