We have looked at the standard that has been employed by many of the top providers in the industry, OAuth 1.0a. Now it’s time to look at the emerging revision to that standard, OAuth 2, which has already been implemented by companies such as Facebook (to secure its Graph API) and Gowalla (to access its check-in services).
OAuth 2 is not compatible with the OAuth 1.0a workflow or token system. It is a complete revision to the specification.
There are a few major revisions to the specification that implementers should be aware of. Instead of having signing libraries such as those we used in the OAuth 1.0a examples, in OAuth 2, all requests are made via HTTPS requests. There is no longer any need to go through complex signing procedures in order to perform token exchange.
Another major difference has to do with the ease of implementation. Due to its reduced complexity, OAuth 2 will take far less time and effort to implement.
To understand this specification and how it works, let’s start by going through the OAuth 2 workflow.