I've been reading quite a bit of documentation about OAuth1 and OAuth2 lately, both of which I've understood to be (relatively) insecure in the case of public clients (such as bots on the user's computer, or mobile applications).
So, when I read that “If the wiki and the bot support OAuth, use that instead; it is more secure, especially on wikis without robust HTTPS support.”, I wonder if there's something I've misunderstood or if that statement is not somewhat misleading…
Without robust HTTPS, that statement is obviously true, as using bot passwords is vulnerable to MITM, like using regular passwords and unlike OAuth1. In that case, one's main concern should probably be to get robust HTTPS first (as only HTTPS can protect regular passwords used by the users to authenticate to the server to authorize the OAuth client), but anyway: OAuth is for sure a security improvement over bot passwords.
But, with robust HTTPS (which I'm going to assume should be the norm in 2018) is there any reason to think OAuth is more secure than bot passwords?
I'm asking mostly out of curiosity and for my own understanding, but I'm also considering using bot passwords for a mobile application, as the bot password form is “just complicated” for the end user, whereas the OAuth token form is “horribly complicated” (no offense to be taken: I think it's perfectly fine for the public of developers it was designed for — it's just being used out of its scope, for legitimate reasons).
Thanks a lot for any clarification :)