Recently, I have read many articles about the OAuth protocol (Open Authorization). I understood the following points: OAuth 1.0A: It uses digital signature (mitigates phising) and recommends using TLS / SSL (reduces the man-in-the-middle attack level), and almost all of these service providers using OAuth 1.0A use TLS / SSL . Thanks to the implementation of digital signature and TLS / SSL, OAuth 1.0A is more secure, forgiving the tough times of getting the right digital signature. However, many of them have implemented OAuth 1.0A, a paradox. OAuth 2.0: This is relatively new, but completely incompatible with the previous one (i.e. OAuth 1.0 (A)), does not use a digital signature due to the difficult times that it is 100% correct, instead it uses an SSL / TLS token and tokens (e.g., token holder can do something). The best thing about OAuth 2.0 is that it differentiated the various grant streams that are combined together in OAuth 1.0. And incompatibility is another problem with OAuth 2.0 (I think this will lead to more separation ... just my guess).
In many ways, I think OAuth 1.0A is better than OAuth 2.0 from what I have learned so far. Now you can shed some light on this, why OAuth 2.0 is recommended when OAuth 1.0A is better (better in the sense that it is more secure) .
Thanks.
source share