OAuth 1.0 Vs OAuth 2.0

OAuth (Open Authorization) is a protocol used for access delegation, where resource owners grant third-party applications to access their resources without sharing their user credentials. This blog will explore on OAuth protocol with a real world scenario and let’s try to understand the differences between OAuth 1.0 and OAuth 2.0.

Assume that there is an application called ‘MyGallery’ that stores the photos of Anne. ‘BeautyQueen’ is an photo edit application and that needs to collaborate with MyGallery to edit the photos of Anne. In this case, how BeautyQueen app can access photos in MyGallery? Even though BeautyQueen app can get credentials from Anne and access the photos, how much Anne can trust the BeautyQueen app? Is there a better way to do this without sharing her credentials? This is where OAuth comes into play.

Let’s look at how OAuth 1.0 and OAuth 2.0 handle this scenario.

OAuth 1.0

Following steps describe how OAuth 1.0 acts in this scenario.

1. Anne wants to edit photos stored in MyGallery using BeautyQueen app. Therefore, BeautyQueen app sends a request to access photos on MyGallery.
2. MyGallery validates the BeautyQueen app’s request and sends it a temporary request token.
3. BeautyQueen app redirects Anne to MyGallery for login or provides the preformatted URL to log in.
4. Upon Anne’s successful authentication to MyGallery server with her credentials, she is asked for approval to grant permission to the BeautyQueen app to access her resources. When Anne finishes granting authorization, BeautyQueen app is informed.
5. BeautyQueen app requests MyGallery for an access token using its approved temporary request token.
6. MyGallery validates the request and sends an access token.
7. BeautyQueen app can now access Anne’s photos from the MyGallery server with the access token without knowing Anne’s credentials.

Following is the abstract view of the OAuth 1.0 protocol flow described above.

Since now it’s clear on how OAuth 1.0 handles this scenario, let’s see how OAuth 2.0 handles this.

OAuth 2.0

Following are the steps performed in the above scenario with OAuth 2.0.

1. Anne wants to edit photos stored in MyGallery using BeautyQueen app. Therefore, BeautyQueen app needs to access photos on MyGallery.
2. BeautyQueen app requests access to MyGallery from the authorization server.
3. Anne authenticates to authorization server with her credentials and returns authorization grant to BeautyQueen app to access MyGallery.
4. BeautyQueen app requests for an access token using the authorization grant.
5. Authorization server validates the request and sends an access token (optionally a refresh token) to BeautyQueen app.
6. BeautyQueen app can now access Anne’s photos from the MyGallery server with the access token without knowing Anne’s credentials.

Following diagram illustrates an abstract view of the OAuth 2.0 protocol flow described above.

Since now you are aware of how these two protocols handle an access delegation scenario, let’s now differentiate those two.

Differences between OAuth 1.0 and OAuth 2.0

OAuth 2.0 is a complete rewrite of OAuth 1.0 and it’s not backward compatible with OAuth 1.0. During the time when many organizations are using OAuth 1.0 APIs, it was identified several areas that are challenging to implement and need improvements. Addressing those challenges, OAuth 2.0 came into the picture. Following are the major improvements that has happened.

• Better support for non-browser applications

OAuth 1.0 has been designed focusing on the interactions of inbound and outbound messages in web client applications. Therefore, it is inefficient for non-browser clients. OAuth 2.0 has addressed this issue by introducing more authorization flows for different client needs that do not use web UIs.

• Reduced complexity in signing requests

OAuth 1.0 needs to generate a signature on every API call to the server resource and that should be matched with the signature generated at the receiving endpoint in order to have access for the client. OAuth 2.0 do not need to generate signatures. It uses TLS/SSL (HTTPS) for communication.

• The separation of roles

Handling resource requests and handling user authorization can be decoupled in OAuth 2.0. It has clearly defined the roles involved in communication which are client, resource owner, resource server, and authorization server.

• The short-lived access token and the refresh token

In OAuth 1.0, access tokens can be stored for a year or more. But in OAuth 2.0, access tokens can contain an expiration time, which improves the security and reduces the chances of illegal access. And it offers a refresh token which can be used to get a new access token at the access token expiration without reauthorizing.

So which one should you pick?

OAuth 1.0 or OAuth 2.0?

According to the facts mentioned above, OAuth 2.0 seems to be superior than OAuth 1.0. It is recommended to use OAuth 2.0 if you are making a new application today. It is easy and efficient to implement due to not having complicated cryptographic requirements. And this is beneficial due to the non-browser application support. Furthermore, there is no need to encrypt the tokens at the endpoints since they are encrypted in transit.

Hope you were able to understand and differentiate the two OAuth protocols. If you want to know more details, you can refer the OAuth specifications referenced below. Happy reading!

References

[1] RFC5849 — The OAuth 1.0 Protocol — https://datatracker.ietf.org/doc/html/rfc5849

[2] RFC6749 — The OAuth 2.0 Authorization Framework — https://datatracker.ietf.org/doc/html/rfc6749