OAuth 1.1 vs. OAuth 2.0

Posted on 2014-08-18
Last Modified: 2014-08-19
From my reading I blieve that the following is the case

OAuth 1.1:    Simple, not very secure, and popular in the Mobile community

OAuth 2.0:   More complex, more secure, not particularly popular

Open in new window

Which one is more popular, which one has more uses in general

Which one has more mobile users

Question by:Anthony Lucia
    LVL 29

    Accepted Solution

    Au contraire.


    Also you mean OAuth 2.0 vs 1.0a, there is no version 1.1 AFAIK. I have implemented the client side OAuth1.0a and 2.0 logic and haven't looked at how the protocol(s) evolved since 2010. But as far as I see there is not much news.

    Most important, perhaps: As a client software developer you don't decide which OAuth version to use, as that depends on what OAuth version is implemented by the service you want to use via OAuth authentication. Very few services allow you to choose between both versions. Google offers both (or did back in 2010)

    The weak point of the OAuth 2.0 protocol is the secure storage of long life refresh tokens by clients. With them access tokens can be requested without repeatedly going through the authentication process and they are not bound to a certain client with it's own client secret and API key, so getting at a refresh token any other client software can use it. That's a consequence of dropping a more complex signing of requests OAuth 1.0a asks of clients.

    In my opinion the signing process defined in OAuth 1.0a is making it more secure, than the SSL encryption secures tokens sent for OAuth 2.0 requests. Every OAuth1.0a request must be signed and the signature ensures not only the client knows the access token needed, but also, that it's the client making the request.

    No matter what OAuth version you use, when starting the authorization process the user is asked to sign in, there is a weak point at that moment a client may redirect the user to a phishing site asking for the "normal" user/password credentials of a service (may it be Twitter, Facebook or whatever other login). So malicious clients may not try to authenticate with a service, but instead direct the user to a phishing site asking for their credentials, which is even more valuable than getting an access token.

    The protocol should fail at that time, if the user isn't already having an active session, because that assures the user previously logged in with the original login. That would be my suggestion to make the authentication process more secure.

    In short: You normally don't have the choice what OAuth version to use. Don't reinvent the wheel and take some OAuth library. I'm not a Java developer, but others may point you to an OAuth library you can use for your software.

    Bye, Olaf.
    LVL 4

    Assisted Solution

    Although I can't comment on the popularity of "non-Oauth 2.0", the security standard is moving towards Oauth 2.0 if not already for many of the big online brands like Facebook, Google Twitter and Microsoft.

    For example, Google wrote in a blog in April they will start enforcing extra security measures for non-Oauth 2.0 applications: "The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV."

    Some other helpful links:

    OWASP Authentication Cheat Sheet:

    Making auth easier: OAuth 2.0 for Google APIs: Another

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
    The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now