OAuth 2.0承诺在以下方面简化事情:

SSL is required for all the communications required to generate the token. This is a huge decrease in complexity because those complex signatures are no longer required. Signatures are not required for the actual API calls once the token has been generated -- SSL is also strongly recommended here. Once the token was generated, OAuth 1.0 required that the client send two security tokens on every API call, and use both to generate the signature. OAuth 2.0 has only one security token, and no signature is required. It is clearly specified which parts of the protocol are implemented by the "resource owner," which is the actual server that implements the API, and which parts may be implemented by a separate "authorization server." That will make it easier for products like Apigee to offer OAuth 2.0 support to existing APIs.

来源:http://blog.apigee.com/detail/oauth_differences

OAuth 2.0承诺在以下方面简化事情:

SSL is required for all the communications required to generate the token. This is a huge decrease in complexity because those complex signatures are no longer required. Signatures are not required for the actual API calls once the token has been generated -- SSL is also strongly recommended here. Once the token was generated, OAuth 1.0 required that the client send two security tokens on every API call, and use both to generate the signature. OAuth 2.0 has only one security token, and no signature is required. It is clearly specified which parts of the protocol are implemented by the "resource owner," which is the actual server that implements the API, and which parts may be implemented by a separate "authorization server." That will make it easier for products like Apigee to offer OAuth 2.0 support to existing APIs.

来源:http://blog.apigee.com/detail/oauth_differences

从安全的角度来看，我选择OAuth 1。参见OAuth 2.0和地狱之路。

引用这个链接:

"If you are currently using 1.0 successfully, ignore 2.0. It offers no real value over 1.0 (I’m guessing your client developers have already figured out 1.0 signatures by now). If you are new to this space, and consider yourself a security expert, use 2.0 after careful examination of its features. If you are not an expert, either use 1.0 or copy the 2.0 implementation of a provider you trust to get it right (Facebook’s API documents are a good place to start). 2.0 is better for large scale, but if you are running a major operation, you probably have some security experts on site to figure it all out for you."

Eran Hammer-Lahav在他的文章《介绍OAuth 2.0》中出色地解释了其中的大部分差异。总结一下，这是关键的区别:

More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, in OAuth 1.0, desktop applications or mobile phone applications had to direct the user to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the application. The main criticism here is against the user experience. With OAuth 2.0, there are now new ways for an application to get authorization for a user.

OAuth 2.0不再要求客户端应用程序具有密码学。这让人想起了旧的Twitter Auth API，它不需要应用程序HMAC哈希令牌和请求字符串。使用OAuth 2.0，应用程序可以仅使用通过HTTPS发出的令牌发出请求。

OAuth 2.0签名要简单得多。没有更多特殊的解析、排序或编码。

OAuth 2.0访问令牌是“短命的”。通常，OAuth 1.0访问令牌可以存储一年或更长时间(Twitter从不让它们过期)。OAuth 2.0有刷新令牌的概念。虽然我不完全确定这些是什么，我的猜测是你的访问令牌可以是短期的(即基于会话)，而你的刷新令牌可以是“生命时间”。您将使用刷新令牌来获取新的访问令牌，而不是让用户重新授权您的应用程序。

最后，OAuth 2.0意味着在负责处理OAuth请求的服务器和处理用户授权的服务器之间有一个清晰的角色分离。在前面提到的文章中有详细的信息。

一旦生成了令牌，实际的API调用就不需要OAuth 2.0签名。它只有一个安全令牌。

OAuth 1.0要求客户端为每个API调用发送两个安全令牌，并使用它们来生成签名。它要求受保护的资源端点能够访问客户端凭据，以便验证请求。

下面介绍OAuth 1.0和2.0之间的区别以及两者的工作方式。

我在这里看到了很好的答案，但我错过了一些图表，因为我必须使用Spring Framework，所以我看到了它们的解释。

我发现下面的图表很有用。它们说明了使用OAuth2和OAuth1的各方之间通信的差异。

OAuth 2

OAuth 1