OAuth 2.0 vs OAuth 1.0
OAuth 1.0, finalized in 2010, and OAuth 2.0, finalized in 2012, solve the same core problem — letting a third-party app act on a user's behalf without handing over a password — but they take almost opposite approaches to security and usability. OAuth 1.0 baked cryptographic request signing into the protocol itself, while OAuth 2.0 dropped signing in favor of relying on TLS for transport security and layering flexibility on top through separate grant types. That trade-off made OAuth 2.0 dramatically easier to implement and extend, which is why virtually every modern API — Google, GitHub, Slack, Stripe — uses OAuth 2.0 today, but it also pushed more security responsibility onto implementers, which is precisely what later hardening work like PKCE and RFC 9700 exists to address.
Cricket analogy: It's like comparing old-school Test cricket, where every delivery is bowled under strict, unchanging laws with no shot clock, to T20, which stripped down the format for speed and flexibility but demanded new rules like powerplays to keep it fair.
Request Signing vs Bearer Tokens Over TLS
OAuth 1.0 required every API request to be individually signed using HMAC-SHA1 (or RSA-SHA1) over a canonicalized string built from the HTTP method, URL, and parameters, combined with the consumer secret and token secret. This meant a request could be verified as authentic and untampered even if intercepted, because the attacker would need the secret to forge a valid signature — but it also made client libraries notoriously fiddly to write correctly, since a single misordered parameter broke the signature. OAuth 2.0 replaced signing with plain bearer tokens sent in an Authorization header and relies entirely on TLS to protect them in transit; this is simpler to implement but means anyone who obtains the token, by any means, can use it exactly as the legitimate client would.
Cricket analogy: OAuth 1.0's signing is like a bowler needing a precise, umpire-verified run-up and delivery stride every single ball to be declared legal, while OAuth 2.0's bearer model is like a T10 format that trusts the broadcast feed to catch any no-ball instead of per-ball scrutiny.
# OAuth 1.0 signed request (conceptual) — every request carries a signature
GET /orders HTTP/1.1
Host: api.example.com
Authorization: OAuth oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="nnch734d00sl2jdk",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1191242096",
oauth_nonce="kllo9940pd9333jh",
oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"
# OAuth 2.0 bearer request — no per-request signing, just a token over TLS
GET /orders HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...Grant Types, Extensibility, and Native App Support
OAuth 1.0 offered essentially one flow: a three-legged process of obtaining a request token, redirecting the user to authorize it, and exchanging it for an access token, with no standardized way to express different trust levels or client types. OAuth 2.0 introduced a family of grant types — authorization code, client credentials, device code, and (now discouraged) implicit and password grants — designed for different scenarios: web apps, machine-to-machine services, smart TVs, and legacy migrations respectively. This extensibility is also why OAuth 2.0 needed extensions like PKCE (RFC 7636) and Device Authorization Grant (RFC 8628) bolted on afterward: the base spec deliberately left room for the ecosystem to add flows OAuth 1.0's single rigid handshake never anticipated, such as authorizing a smart TV or CLI tool that has no browser at all.
Cricket analogy: OAuth 1.0's single flow is like the game having only one format, Test cricket, forever, while OAuth 2.0's grant types are like the sport later adding ODIs, T20s, and even The Hundred to fit different audiences and time constraints.
OAuth 1.0's mandatory request signing did eliminate certain man-in-the-middle risks even over plain HTTP, which is why some legacy financial and telecom APIs still use it today, but the industry consensus is that OAuth 2.0 with mandatory TLS, PKCE, and sender-constrained tokens now matches or exceeds that protection without the implementation complexity.
- OAuth 1.0 required cryptographic request signing (HMAC-SHA1/RSA-SHA1); OAuth 2.0 uses bearer tokens secured by TLS instead.
- OAuth 1.0 offered one rigid three-legged flow; OAuth 2.0 defines multiple grant types for different client scenarios.
- OAuth 2.0's simpler bearer-token model made client libraries far easier to write correctly than OAuth 1.0's signature-base-string logic.
- Because OAuth 2.0 dropped signing, TLS is not optional — a plaintext OAuth 2.0 request exposes the token entirely.
- OAuth 2.0's extensibility enabled later additions like PKCE and the Device Authorization Grant that OAuth 1.0 could not accommodate.
- OAuth 1.0 is largely legacy today; virtually all major API providers standardized on OAuth 2.0.
- The security trade-offs of OAuth 2.0's flexibility are why hardening specs like RFC 9700 exist.
Practice what you learned
1. What mechanism did OAuth 1.0 use to protect API requests that OAuth 2.0 dropped?
2. What does OAuth 2.0 rely on to protect bearer tokens in transit, given it dropped request signing?
3. Which of these did OAuth 1.0 lack that OAuth 2.0 introduced?
4. Why did the industry largely migrate from OAuth 1.0 to OAuth 2.0?
Was this page helpful?
You May Also Like
OAuth Best Practices
The concrete, RFC 9700-aligned security practices every OAuth 2.0 implementation should follow, from PKCE to token storage.
OAuth Quick Reference
A condensed lookup of OAuth 2.0 grant types, standard endpoints, token parameters, and common error codes for day-to-day implementation work.
OAuth Interview Questions
The OAuth 2.0 concepts and edge-case questions that come up most often in backend, security, and full-stack interviews.
Related Reading
Related Study Notes in Programming
Browse all study notesApache Spark Study Notes
Programming · 30 topics
ProgrammingApache Flink Study Notes
Programming · 30 topics
ProgrammingHadoop Study Notes
Programming · 30 topics
ProgrammingSnowflake Study Notes
Programming · 30 topics
ProgrammingApache Airflow Study Notes
Programming · 30 topics
Programmingdbt (Data Build Tool) Study Notes
Programming · 30 topics