[OWASP-wiki-editors] OAuth 1.0a in Authentication Cheat Sheet

Jim Manico jim.manico at owasp.org
Mon Oct 3 19:11:16 UTC 2016


I agree we should be mostly moving to OAuth 2. But OAuth 1 is more
secure and is used widely - by Twitter still, for example.

I am a bit busy this AM, but I'll add a few notes to clarify soon.

Please note, the move from OAuth 1 to 2 is politically charged. Read
this for more info, it's "famous" in the history of OAuth.
https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/

- Jim


On 10/3/16 9:06 AM, johanna curiel curiel wrote:
> Hi Jim
>
> if this is the case, maybe we could explain this better. Because it
> seems that OAuth2 i been pushed, do you have any resources explaining
> why is OAuth1.0a better?
>
> cheers
>
> Johanna
>
> On Mon, Oct 3, 2016 at 3:02 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
>     OAuth 1.0a is still in widespread use and is founded on solid
>     cryptography. So it's still a good recommendation from a security
>     perspective. In fact, OAuth 1.0a is WAAAAAAAAAAY more secure than
>     the BS that is OAuth 2. So I again stand by this recommendation,
>     at least for now. Can we revisit next year?
>
>     - Jim
>
>
>     On 10/3/16 8:47 AM, johanna curiel curiel wrote:
>>     Hi wiki editors
>>
>>     It has called my attention that the OAuth 1.0a is
>>     still recommended the Aurhetication cheat sheet:
>>     https://www.owasp.org/index.php/Authentication_Cheat_Sheet#OAuth
>>     <https://www.owasp.org/index.php/Authentication_Cheat_Sheet#OAuth>
>>
>>     "The recommendation is to use and implement OAuth 1.0a or OAuth 2.0"
>>
>>     OAuth 1.0a has been depreciated and it is recommended to use
>>     OAuth only:
>>     This specification was obsoleted by RFC 6749: The OAuth 2.0
>>     Authorization Framework
>>     <http://tools.ietf.org/html/rfc6749>. Implementers should use RFC
>>     6749 <http://tools.ietf.org/html/rfc6749> instead of this
>>     specification.
>>     https://oauth.net/core/1.0a/
>>
>>
>>     Cheers
>>
>>     Johanna Curiel 
>>
>>
>>
>>     _______________________________________________
>>     OWASP-wiki-editors mailing list
>>     OWASP-wiki-editors at lists.owasp.org
>>     <mailto:OWASP-wiki-editors at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>>     <https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors>
>
> -- 
> Johanna Curiel 
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20161003/0a414220/attachment-0001.html>


More information about the OWASP-wiki-editors mailing list