[cheald]

Absolutely; however, the example given was Instagram, though, who uses bearer tokens, which are at once the easiest and least secure option. Since people tend to take the path of least resistance, they also seem to be the most popular option by a wide margin.

I use and enjoy OAuth2, and I'm not trying to bag on it; you're absolutely right in that it's up to the server to do things Right (and few people do; the fact that nearly nobody uses the state parameter is evidence enough of that!). However, I do think it's ridiculously faulty to hold Instagram's bearer token authorization up as the "secure way" to do things in contrast to OAuth1.

I think that both OAuth and OAuth2 are plenty secure in most use cases. TLS provides Good Enough(tm) protection for the vast majority of bearer token transactions, and as you point out, there's always MAC if you don't trust the integrity of the transport. But I do think it's ignorant to claim that OAuth 1 is insecure because you can pull the secrets out of a client app, while somehow claiming that OAuth 2 is secure against such attacks.