Thanks for the input. I've pretty much decided to leverage the mature work already done with 1.0a and use that.
Regarding migration paths, although I probably won't need tokens to be reused, is there any scope for reuse of identifiers and secrets or would these also have to be migrated? I've only scratched the surface of 2.0 but I suspect static client and user associated data like this will be usable going forward? Shak On Jun 9, 10:59 am, Rob Richards <[email protected]> wrote: > Shak wrote: > > Hi all, > > > I'm about to start working on incorporating OAuth in a project I'm > > working on. I'll be a resource server, and will therefore have to > > issue and manage tokens etc. > > > My question is regarding OAuth 2. Should I look to support the new > > spec? I realise that it's a draft and in flux etc, but I'm wondering > > with regards to this new project whether it's better to jump straight > > into 2 now, or use 1a with the intention of moving to 2 later on - I > > understand that the two are not compatible, but is it possible to run > > both in parallel? Perhaps even by using the same tokens? > > > I know that this is a very subjective question to ask, but any > > thoughts or advice would be appreciated. > > While you would also need to consider the company's view on stability, > when you expect to go live with the project, the API in question, the > targeted developers of the API, and how much control you have over both > of them, I personally would just release with OAuth 1.0a, but ready to > also release 2.0 when its stable. This will let your targeted developers > work against a stable spec with mature code libraries available and > alleviate the risk of requiring change on your side to support any > changes as OAuth 2 evolves. The fact of the matter is that 2.0 is still > just a draft where nothing is set in stone, so your mileage will vary. > > Once you are ready to release a 2.0 version, you could then run them in > parallel, which would give time for people to migrate their client > applications from 1.0a to 2.0. Personally I wouldn't tie them both to > the same access token or at least require authentication within each of > the OAuth version flows before the token is active within the context of > said version. > > Rob -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
