30

2-legged OAuth2 is used for Browser based app, where no client credential can be hidden from public. 3-legged OAuth2 is used by "Web Server Apps" where there's a third call between servers. All well described here.

The question: Why bother with 3-legs, when 2-legs seems to be fine?

It's more work both for the provider and the client. Why didn't one of the big player make a move and removed 3-leg?

Aron Woost
  • 19,268
  • 13
  • 43
  • 51

2 Answers2

85

Three legged does not imply a certain type of app as in "browser based". Three legged means that an application acts on the direct behalf of a user. In the three legged scenarios there is

  1. an application (consumer),
  2. a user (resource owner) and
  3. an API (service provider).

In two legged scenarios there is no concept of a user. Typically this has to do with application-to-application solutions. There the application (consumer) acts on behalf of itself. So in two legged OAuth, there is:

  1. an application (consumer),
  2. an API (service provider)

The difference is simply that there is no need of a user authorisation step in the 2-legged approach.

Jon Nylander
  • 8,743
  • 5
  • 34
  • 45
  • 2
    Yes, you're right. I misunderstood what "2-leg" and "3-leg" actually means. I'll setup a new question. I'll make this answer as correct, since you saw my error. – Aron Woost Nov 14 '12 at 20:48
  • 1
    FYI: http://stackoverflow.com/questions/13387698/why-is-there-an-authorization-code-flow-in-oauth2-when-implicit-flow-works-s – Aron Woost Nov 14 '12 at 21:33
  • That's why I love SO ! – Faizan Jun 10 '14 at 07:04
2

2-legged scenarios exist. For example check the documentation about Google Apps domain-wide delegation of authority. Of course they can only be used in a trusted environment by a super-owner of the accounts - In the example I referred to above: a Google Apps domain administrator being the super-owner of all the users accounts of the domain he is administrating.

3 Legged has to be used in an open web environment of course. You do need the approval of the resource owner to grant access to its data to a third-party application.

Nicolas Garnier
  • 12,134
  • 2
  • 42
  • 39
  • 1
    Yes, I mixed things up. (see http://stackoverflow.com/questions/13369516/why-is-there-3-legged-oauth2-when-2-legged-work-so-well/13384100#comment18284216_13384100) – Aron Woost Nov 14 '12 at 20:49
  • FYI: http://stackoverflow.com/questions/13387698/why-is-there-an-authorization-code-flow-in-oauth2-when-implicit-flow-works-s – Aron Woost Nov 14 '12 at 21:33