[OWASP-wiki-editors] OAuth 1.0a in Authentication Cheat Sheet
jim.manico at owasp.org
Mon Oct 3 19:11:16 UTC 2016
I agree we should be mostly moving to OAuth 2. But OAuth 1 is more
secure and is used widely - by Twitter still, for example.
I am a bit busy this AM, but I'll add a few notes to clarify soon.
Please note, the move from OAuth 1 to 2 is politically charged. Read
this for more info, it's "famous" in the history of OAuth.
On 10/3/16 9:06 AM, johanna curiel curiel wrote:
> Hi Jim
> if this is the case, maybe we could explain this better. Because it
> seems that OAuth2 i been pushed, do you have any resources explaining
> why is OAuth1.0a better?
> On Mon, Oct 3, 2016 at 3:02 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> OAuth 1.0a is still in widespread use and is founded on solid
> cryptography. So it's still a good recommendation from a security
> perspective. In fact, OAuth 1.0a is WAAAAAAAAAAY more secure than
> the BS that is OAuth 2. So I again stand by this recommendation,
> at least for now. Can we revisit next year?
> - Jim
> On 10/3/16 8:47 AM, johanna curiel curiel wrote:
>> Hi wiki editors
>> It has called my attention that the OAuth 1.0a is
>> still recommended the Aurhetication cheat sheet:
>> "The recommendation is to use and implement OAuth 1.0a or OAuth 2.0"
>> OAuth 1.0a has been depreciated and it is recommended to use
>> OAuth only:
>> This specification was obsoleted by RFC 6749: The OAuth 2.0
>> Authorization Framework
>> <http://tools.ietf.org/html/rfc6749>. Implementers should use RFC
>> 6749 <http://tools.ietf.org/html/rfc6749> instead of this
>> Johanna Curiel
>> OWASP-wiki-editors mailing list
>> OWASP-wiki-editors at lists.owasp.org
>> <mailto:OWASP-wiki-editors at lists.owasp.org>
> Johanna Curiel
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-wiki-editors