100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Programming

OAuth 2.0 vs OAuth 1.0

A technical comparison of OAuth 1.0's signed-request model against OAuth 2.0's bearer-token, multi-grant-type design.

PracticeIntermediate8 min readJul 10, 2026
Analogies

OAuth 2.0 vs OAuth 1.0

OAuth 1.0, finalized in 2010, and OAuth 2.0, finalized in 2012, solve the same core problem — letting a third-party app act on a user's behalf without handing over a password — but they take almost opposite approaches to security and usability. OAuth 1.0 baked cryptographic request signing into the protocol itself, while OAuth 2.0 dropped signing in favor of relying on TLS for transport security and layering flexibility on top through separate grant types. That trade-off made OAuth 2.0 dramatically easier to implement and extend, which is why virtually every modern API — Google, GitHub, Slack, Stripe — uses OAuth 2.0 today, but it also pushed more security responsibility onto implementers, which is precisely what later hardening work like PKCE and RFC 9700 exists to address.

🏏

Cricket analogy: It's like comparing old-school Test cricket, where every delivery is bowled under strict, unchanging laws with no shot clock, to T20, which stripped down the format for speed and flexibility but demanded new rules like powerplays to keep it fair.

Request Signing vs Bearer Tokens Over TLS

OAuth 1.0 required every API request to be individually signed using HMAC-SHA1 (or RSA-SHA1) over a canonicalized string built from the HTTP method, URL, and parameters, combined with the consumer secret and token secret. This meant a request could be verified as authentic and untampered even if intercepted, because the attacker would need the secret to forge a valid signature — but it also made client libraries notoriously fiddly to write correctly, since a single misordered parameter broke the signature. OAuth 2.0 replaced signing with plain bearer tokens sent in an Authorization header and relies entirely on TLS to protect them in transit; this is simpler to implement but means anyone who obtains the token, by any means, can use it exactly as the legitimate client would.

🏏

Cricket analogy: OAuth 1.0's signing is like a bowler needing a precise, umpire-verified run-up and delivery stride every single ball to be declared legal, while OAuth 2.0's bearer model is like a T10 format that trusts the broadcast feed to catch any no-ball instead of per-ball scrutiny.

text
# OAuth 1.0 signed request (conceptual) — every request carries a signature
GET /orders HTTP/1.1
Host: api.example.com
Authorization: OAuth oauth_consumer_key="dpf43f3p2l4k3l03",
  oauth_token="nnch734d00sl2jdk",
  oauth_signature_method="HMAC-SHA1",
  oauth_timestamp="1191242096",
  oauth_nonce="kllo9940pd9333jh",
  oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"

# OAuth 2.0 bearer request — no per-request signing, just a token over TLS
GET /orders HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Grant Types, Extensibility, and Native App Support

OAuth 1.0 offered essentially one flow: a three-legged process of obtaining a request token, redirecting the user to authorize it, and exchanging it for an access token, with no standardized way to express different trust levels or client types. OAuth 2.0 introduced a family of grant types — authorization code, client credentials, device code, and (now discouraged) implicit and password grants — designed for different scenarios: web apps, machine-to-machine services, smart TVs, and legacy migrations respectively. This extensibility is also why OAuth 2.0 needed extensions like PKCE (RFC 7636) and Device Authorization Grant (RFC 8628) bolted on afterward: the base spec deliberately left room for the ecosystem to add flows OAuth 1.0's single rigid handshake never anticipated, such as authorizing a smart TV or CLI tool that has no browser at all.

🏏

Cricket analogy: OAuth 1.0's single flow is like the game having only one format, Test cricket, forever, while OAuth 2.0's grant types are like the sport later adding ODIs, T20s, and even The Hundred to fit different audiences and time constraints.

OAuth 1.0's mandatory request signing did eliminate certain man-in-the-middle risks even over plain HTTP, which is why some legacy financial and telecom APIs still use it today, but the industry consensus is that OAuth 2.0 with mandatory TLS, PKCE, and sender-constrained tokens now matches or exceeds that protection without the implementation complexity.

  • OAuth 1.0 required cryptographic request signing (HMAC-SHA1/RSA-SHA1); OAuth 2.0 uses bearer tokens secured by TLS instead.
  • OAuth 1.0 offered one rigid three-legged flow; OAuth 2.0 defines multiple grant types for different client scenarios.
  • OAuth 2.0's simpler bearer-token model made client libraries far easier to write correctly than OAuth 1.0's signature-base-string logic.
  • Because OAuth 2.0 dropped signing, TLS is not optional — a plaintext OAuth 2.0 request exposes the token entirely.
  • OAuth 2.0's extensibility enabled later additions like PKCE and the Device Authorization Grant that OAuth 1.0 could not accommodate.
  • OAuth 1.0 is largely legacy today; virtually all major API providers standardized on OAuth 2.0.
  • The security trade-offs of OAuth 2.0's flexibility are why hardening specs like RFC 9700 exist.

Practice what you learned

Was this page helpful?

Topics covered

#Programming#OAuth20StudyNotes#OAuth20VsOAuth10#OAuth#Request#Signing#Bearer#StudyNotes#SkillVeris#ExamPrep