Base of difference | OAuth 1.0 | OAuth 2.0 |
Non-browser applications | When OAuth 1.0 is designed its focus is on interaction of inbound and outbound messages in web client applications so it is inefficient for non-browser clients. | So in version OAuth 2.0 this issue has been addresses and is version introduce more authorization flows for different client needs that do not use web UIs. |
Complexity Reduced | In version OAuth 1.0 if we need to call API this will generate a signature and on receiving endpoint signautre is matched then access or oder is processed. | But in version OAuth 2.0 this do not need to generate signatures and uses TLS/SSL (HTTPS) for communication. |
Separation of roles | Have limited data in roles. | Handling resource requests and handling user authorization can be decoupled in OAuth 2.0. It has clearly defined the roles involved in communication which are client, resource owner, resource server, and authorization server. |
Access token | When we say about the access tokens we can stored that for a year or more.
| But when we say about token in OAuth in 2.0 access tokens can contain an expiration time which mainly improves the security and reduces the chances of illegal access. And it offers a refresh token which can be used to get a new access token at the access token expiration without reauthorizing. |