OAuth access token vs session key

Well, it depends...

OAuth is a protocol for creating a session. OAuth bearer tokens are transmitted by the client using the Authentication: Bearer HTTP header. This is just a cryptographic nonce that is transmitted via an http header element, which in effect is (almost) identical to the cookie http header element.

How does it differ? Well, the rules for cookies are a little different than other header elements. The cookie is maintained by the browser, and is attached to every request for which the cookie belongs. This is the reason why Cross-Site Request Forgery or session riding attacks work. The browser doesn't care where the request came from, it will attach the cookie based on the destination of the request.

OAuth Bearer tokens are a little different. These tokens are usually managed by the client (JavaScript, Flash, or even some middleware application). If your application uses JavaScript to manage the authentication bearer token, then this value will not be automatically applied by the browser, and therefore can double as a CSRF token, which is neat.

However, if you are using OAuth for middleware, then CSRF doesn't come into play, so it doesn't matter where it shows up in the header.

CSRF is already protected by all the modern browsers, if doesn't simply attach cookie based on destination, if validates allow origin policy before sending it to the server so to me after doing some research, oauth2 and session based authentication both have the same security risk and only difference is the header that is being used