> OAuth 2.0 has no signatures because all the cryptography has been > moved from the OAuth layer to the transport-layer by requiring the use > of TLS.
This is partially true. In the core get-a-token and use-a-token parts of OAuth 2.0, there is no cryptography and it is recommended that people rely on transport-layer security for protection. However, there will also be an OAuth-signing spec published along with 2.0, but that's the bit that folks don't agree on how to do yet. It won't be added to the core OAuth 2 spec, but it is something that the working group has expressed interest in producing. As for your original question, I'd agree that 1.0 is easier to deploy right now since there are a ton of libraries and experience around that, assuming that your use case fits it OK. If you instead have a use case that fits one of the 2.0 profiles better, you might want to look there instead. But keep in mind that the spec is not final, and that things will change from here to completion. Even the latest draft (-09) had a complete rewrite of the token-issuing endpoint and its behavior. -- Justin > > On Jul 6, 2010, at 5:17 PM, Mendel wrote: > > > Hello all, > > > > I'm gonna build a OAuth server soon, which version (1.0 or 2.0) or > > draft version do you recommend to use? In draft 9 (OAuth 2.0) the > > signature process is left out, in my understanding because we can't > > agree about a standard yet. Do you guys recommend using the one in > > draft 5? I think it's a waste to build for OAuth 1.0 now. > > > > Not a very technical question, but hopefully you could give me some > > feedback. > > > > Mendel > > > > -- > > You received this message because you are subscribed to the Google Groups > > "OAuth" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group at > > http://groups.google.com/group/oauth?hl=en. > > > > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
