OAuth1 OAuth2 OAuth
OAuth1 OAuth2 OAuth TL;DR OAuth2 sucks. Please dont think about OAuth2 as about the next generation of OAuth1. They are completely different like colors: OAuth1 is the green version , OAuth2 is the red version The biggest OAuth1 provider - Twitter. I bet ($100!) they are not switching to OAuth2 in the near future. Pros and cons: + becoming compatible with the rest of social networks - making authorization flow insecure, like the rest of social networks I am not telling OAuth1 is super secure � it was vulnerable to session fixation a few years ago. If you made user to approve oauth_token issued for your account, then you could use same oauth_token again and sign in his account on the Client website. It was fixed in oauth1.a. Wait, read again: it was fixed . None of oauth2 vulnerabilities i pointed out in my previous posts a year ago was adressed in the spec. OAuth1 is straight, concise, explicit and secure protocol. OAuth2 is the road to hell. Here we go! OAuth2 core vulnerabilities -...