I am going to start writing an API for my open source project. Should I go with OAuth 2 for authentication or OAuth 1?
My main concern with OAuth 1 is than I don't want to invest time in writing API based on it if OAuth 1 going to be outdated soon.
My question is - will OAuth 1 become outdated soon? Also, I think from the point of end-user of the API, OAuth 2 seems to be easier to implement.
Should I just write OAuth2 API and forget about OAuth 1 or are there good reas开发者_JS百科ons to use OAuth 1 for now?
Use OAuth 2.0. It is stable and ready for implementation. There is no reason anyone should be deploying OAuth 1.0 at this point. 2.0 is simpler, more secure, and more robust.
As for 1.0, the protocol is published and anyone can use it as long as they want. It is an information RFC and will remain that way. However, once 2.0 is published, 1.0 will be marked as obsolete. None of this IETF bureaucracy should make any difference to you.
OAuth 2 is in draft stage (current writing, draft 16), but OAuth 1 has already is already in RFC (RFC 5849).
OAuth 2 authorization flow is easier than OAuth 1 but what you might encounter is that you have to choose a draft you want to implement and stick with it. When an RFC for OAuth 2 will be released, you will have to conform to it.
Addon: If OAuth 1 will be obsolete, the RFC will be obsoleted. The IETF will put the RFC into Status "historic". Chances are, they might make OAuth 2 an RFC and historicalize OAuth 1 RFC. Until that happens, OAuth 1 is valid to this day.
I hope this little info can help you.
You should think about your users (developers) and choose an appropriate API based on that. Are they likely to have experience or a preference? If not I'd tend to go for OAuth2. You might also want to make the decision based on the type of organization you are dealing with. I've dealt with people who have a preference for older protocols because they feel they are more mature and secure. This is not always rational but sometimes it is worth considering.
There is some information on design decisions (why a new version?) driving Oauth2 available.
I am worried about the future of OAuth, seriously. Since Eran Hammer, one of the founder of the OAuth left the group and later David Recordon followed him.
They are concerned about the security and vulnerability of OAuth 2.0. This is how Hammer described OAuth2.0
more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.
May be its time to look at SAML for the OAuth users.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论