[shubber]

To be fair, Bearer Token is only one option for credentialing under Oauth2 (which also includes e.g. MAC, which is as good a authentication token as you could ask for).

And: Bearer Token is as good as the session cookies that are used in every app everywhere.

There's a valid criticism of OAuth2, and that's that there are lots of decisions that are left up to the Authorization server implementer, and they need to know what they're doing. And this is security: no one knows what they're doing well enough.

[cheald]

Absolutely; however, the example given was Instagram, though, who uses bearer tokens, which are at once the easiest and least secure option. Since people tend to take the path of least resistance, they also seem to be the most popular option by a wide margin.

I use and enjoy OAuth2, and I'm not trying to bag on it; you're absolutely right in that it's up to the server to do things Right (and few people do; the fact that nearly nobody uses the state parameter is evidence enough of that!). However, I do think it's ridiculously faulty to hold Instagram's bearer token authorization up as the "secure way" to do things in contrast to OAuth1.

I think that both OAuth and OAuth2 are plenty secure in most use cases. TLS provides Good Enough(tm) protection for the vast majority of bearer token transactions, and as you point out, there's always MAC if you don't trust the integrity of the transport. But I do think it's ignorant to claim that OAuth 1 is insecure because you can pull the secrets out of a client app, while somehow claiming that OAuth 2 is secure against such attacks.