Hi, Here are my doubts: > > 1) First, would it make any sense nowadays to set up a security system > based on OAuth 1.0a? Should it be considered "too old" and hence a > completely wrong pick? >
Though I don't think OAuth1.0 is wrong pick because security is considered well, if you select OAuth2.0, you can reduce development cost because the protocol is simpler very much. And you can get additional benefit by refresh token which enables web application to get new refresh access token without executing the authorization flow against users. 2) I can't figure out a real world scenario where 2-legged OAuth is cleary > a better option then Http(S) Auth. What extra bonuses do I get from it? > First, OAuth is authorization protocol, not for authentication. if you use access token to identify user, the benefit is - You can not only authenticate users but also control which user resources are provided or not to OAuth client by scope parameter. - Because the access token is expired within several days, if the identification of users like cookie or permanent token is unintentionally disclosed to public, you can reduce the security risk. The drawback is that some of users would be embarrassed during 2 redirections. > 3) Given that I'm not a veteran security expert, would OAuth be a > reasonable choice? > I think so because the community members of OAuth come from security companies. > 4) Are there support frameworks or other third-party auxiliary tools that > one may use in order to obtain a secure-reliable-thrustworty implementation > of OAuth in less time and/or with less effort than just trying to figure it > out completely by him/herself > If you select OAuth2, the dedicated library isn't required because it is easy to implement. If you select OAuth1, the dedicated library is required because we need to build source string for hashing and it causes you much debugging time if you do by yourself. Hitoshi -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to oauth+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
