Clarification on use of OAuth 1 vs 2

[BRMatt]

I had a look over the spec but couldn't see any explicit discussion about why version 1 of the protocol was chosen over v2. The closest I saw to an explanation was this line:

The API must work on any site. The API must only use features available to the majority of sites in order to provide a useful utility.

Which I presume is hinting that you can't rely on all sites having SSL to protect v2's secret credentials?

[rmccue]

Which I presume is hinting that you can't rely on all sites having SSL to protect v2's secret credentials?

Correct; OAuth 2 requires SSL when used in most modes. It can be used in MAC mode, however that usage is not yet standardised, so we can't use it.

Thanks for the feedback; I'll clarify this in the documentation.

[lfender6445]

When can we expect to see OAuth 2 support? Is this in the works?

[kosso]

+1 for OAuth 2 support.

[seanfisher]

+1 as well for OAuth 2 support.

[joehoyle]

OAuth2 is not currently in the works by the REST API team due to the HTTPS requirement, we are trying to focus on the solutions that work for (virtually) all WordPress sites, however I do encourage any contributors to work on an oauth2 plugin :)