OAuth 1 versus OAuth 2

This is intended to serve as a quick guide to which OAuth version might suit your needs best. The target audience are providers contemplating which workflows to offer their clients but clients curious to which workflow to use should be able to get some help too.

Before choosing it is important to understand a fundamental issue with client - server security. It is technically impossible to store secrets on machines out of your control, such as a users desktop or phone. Without the ability to secure a secret the ability to authenticate is lost. Because of this the provider has no way of knowing whether a request from such a client is legitimate or from a malicious party. Great care should be taken to restrict non authenticated clients access to resources appropriately.

When to offer which OAuth workflow