What are some real-world scenarios for 2-legged OAuth? Is it only applicable for mobile/desktop apps?
Asked
Active
Viewed 1,311 times
0
-
This questions seems too broad and off topic – Joop May 07 '15 at 07:06
-
Hmm..... There are not many resources on web that are to the point and explain the details. I have found a lot of links which are vague. So had to come to SO – Praveen Anumukonda May 07 '15 at 07:08
2 Answers
1
2-legged OAuth (aka. the Client Credentials flow in OAuth 2.0) is useful when a client wants to access certain resources without disclosing its primary client credentials to the resource API. The client would authenticate to an Authorization Server to get a derived token that it can present to the resource API to get access to the protected resources.
Getting the token and presenting it is done in a standardized and interoperable way without pestering the resource API with different authentication mechanisms. It also makes revocation of access easier because that is controlled in a centralized fashion on the Authorization Server, independent of the client's primary credentials. See also: How does 2-legged oauth work in OAuth 2.0?
It is applicable across mobile, desktop and web applications although keeping a client secret in mobile and desktop applications is arguably hard so it is most suitable in server-side environments.
A real world scenario is a batch script that fetches data from a remote API and processes it.
-
The real world scenario does not make much sense to me.. Can you explain it a bit more? And give any other examples is possible – Praveen Anumukonda May 07 '15 at 08:17
0
2 legged auth is for server to server authentication on behalf of the application with no end-users involved.
For example, your application on Google AppEngine makes a request to Datastore (Database from Google Cloud). This uses 2 legged auth with JWTs.
Instead, if your application makes a request on behalf of the end user to read the user's Google Drive files, 3 legged auth is used.
user835611
- 2,309
- 2
- 21
- 29