Well if you implement OAuth 2 properly, you'll prevent session fixation and hijacking attacks, and with https you will also prevent man-in-the-middle attacks.
The hueniverse guy was one of the people drafting the standard and as far as I can tell he laments that the providers can return a "bearer token" instead of a "mac token". That means the token is sent on every request to the provider, and without https it can be intercepted. But with https everything is fine!
OAuth 1.0 didn't rely on https to prevent MITM attacks an instead used the "mac token" to sign each request to the provider, along with an increasing timestamp/nonce to prevent replay attacks.
The hueniverse guy was one of the people drafting the standard and as far as I can tell he laments that the providers can return a "bearer token" instead of a "mac token". That means the token is sent on every request to the provider, and without https it can be intercepted. But with https everything is fine!
OAuth 1.0 didn't rely on https to prevent MITM attacks an instead used the "mac token" to sign each request to the provider, along with an increasing timestamp/nonce to prevent replay attacks.
http://www.codinghorror.com/blog/2012/02/should-all-web-traf...