Could anyone explain what’s good about OAuth2 and why we should implement it? I ask because I’m a bit confused about it — here’s my current thoughts:
OAuth1 (more precisely HMAC) requests seem logical, easy to understand, easy to develop and really, really secure.
OAuth2, instead, brings authorization requests, access tokens and refresh tokens, and you have to make 3 requests at the very start of a session to get the data you’re after. And even then, one of your requests will eventually end up failing when the token expires.
And to get another access token, you use a refresh token that was passed at the same time as the access token. Does that make the access token futile from a security point of view?
Plus, as /r/netsec have showed recently, SSL isn’t all entirely secure, so the push to get everything onto TLS/SSL instead of a secure HMAC confuses me.
OAuth are arguing that it’s not about 100% safety, but getting it published and finished. That doesn’t exactly sound promising from a provider’s point of view. I can see what the draft is trying to achieve when it mentions the 6 different flows, but it’s just not fitting together in my head.
I think it might be more my struggling to understand it’s benefits and reasoning than actually disliking it, so this may be a bit of an unwarranted attack, and sorry if this could seem like a rant.