OAuth1 or OAuth2 for a non SSL website?

The short answer is: you should consider using OAuth 1.0a [1] rather than OAuth 2.0

The long answer is below:

OAuth 2.0 by default requires the use of SSL/TLS for transport layer security. Therefore, when implementing an OAuth 2.0 compliant Authorization Server, you need to allow client applications to connect to the Authorization Endpoint as well as Token Endpoint over a secure channel. See the following sections in the OAuth 2.0 specification [2]:

3.1 (Authorization Endpoint)

"[...] the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint."

3.2 (Token Endpoint)

"[...] the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint."

In your case, when you do not have an SSL connection, you can still possibly consider using OAuth 2.0 and the MAC Access Authentication [3], which specifies how to make OAuth 2.0 requests by issuing MAC-type access tokens. Such tokens are cryptographically signed with a shared symmetric key (key is shared between the client application and the server).

IMPORTANT NOTE: In such setup, however, you will still need to provide a mechanism for clients to be able to establish a shared secret with your OAuth 2.0 server in a secure way (how this is done is up to you - can be over some SSL channel or out-of-band, depending on your exact use cases). This is a strict requirement to allow clients to securely access protected resources!

"The MAC scheme requires the establishment of a shared symmetric keybetween the client and the server. This specification offers onesuch method for issuing a set of MAC credentials to the client usingOAuth 2.0 in the form of a MAC-type access token.

The primary design goal of this mechanism is to simplify and improveHTTP authentication for services that are unwilling or unable toemploy TLS for every request. In particular, this mechanism leveragean initial TLS setup phase to establish a shared secret between theclient and the server. The shared secret is then used over aninsecure channel to provide protection against a passive networkattacker."

Based on the above explanation, I would consider using OAuth 1.0a [3], which does not require the use of a transport-level security for communication between the client and Authorization Server (OAuth 1.0a uses the term "Service Provider", btw). Instead, it relies on messages being signed using a shared symmetric key (or an RSA key). However. please note that unless you use signatures using HMAC-SHA1 or RSA-SHA1 (i.e. you decide to use the PlAINTEXT signature type), you will need to use SSL/TLS anyway.

[1] https://www.rfc-editor.org/rfc/rfc5849

[2] https://www.rfc-editor.org/rfc/rfc6749

[3] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac-01

From a client's perspective, OAuth 2 is easier to integrate into applications, among other benfits: How is OAuth 2 different from OAuth 1?

Just integrate any external Oauth2 library with Codeigniter. Here is one: https://github.com/bshaffer/oauth2-server-php

I am using OAuth2 for 2 years, and I highly recommend using it since it is very reliable.Relating to SSL, as far as I know, OAuth should be utilizing SSL to gain proper implementation, avoiding this will simply not adopting OAuth protocol.