I've implemented an OAuth 1.0 provider following this specification, which should be the latest. The specification was amended to address the session fixation attack that was identified in 2009. The thing is, short of having to diff the two specifications I am unsure as to what measures were added/changed in the spec in response to the issue.
Since I implemented the "right" spec I am having a hard time explaining to stakeholders what measures I have taken to ameliorate the risks.
Anyone care to shed some light on the issue for me?
1.0a addresses a very specific attack described here: