We recently found that one of our API services we manage for clients had stopped working.  We couldn't figure out why, except we were suddenly getting strange errors and our tracking system alerted that somewhere, somehow, an API had changed.

We traced the culprit to our old friend the oAuth 'standard'.  Basically,  OAuth2 originally specified that the access token was a parameter in the HTTP request:

e.g.  https://graph.facebook.com/me?access_token=blah&foo=bar

This is easy to use… but this is bad from a HTTP usage perspective – the access token is authorization token, not something that should be handled by the end resource. That kind of thing should go in the headers.

So, they spec’d it as a header:

Authorization: Bearer TOKEN_VALUE

So, here's the thing, the final spec mentions that the old way exists but is not recommended (it actually wasn't mentioned for a while) - our client had done the right thing and upgraded the spec, the problem was it broke how people integrated to their APIs.  We'll predict, but not guarentee that Facebook won't do the samething because it will catch out too many people and apps.

So, now we have 2 oAuth 2.0 standards, and, of course, oAuth 1.0 is still out there.

Remember, our service is designed to let us worry about this mess for you, so check out our developer site and try us for free today: http://dev.viafo.com