45

Can you please explain me the Difference between OAuth 2.0 Two legged and Three legged implementation. And how to chose? Which ones for me?

Yves M.
  • 29,855
  • 23
  • 108
  • 144
Shraddha Shravagi
  • 1,096
  • 1
  • 9
  • 22
  • 7
    OAuth 2.0 doesn't have clear separation between 3-legged and 2-legged OAuth. I have written a blog post on how to implement 2-legged OAuth with OAuth 2.0 and compares it with 1.0 [http://blog.facilelogin.com/2011/12/2-legged-oauth-with-oauth-10-and-20.html](http://blog.facilelogin.com/2011/12/2-legged-oauth-with-oauth-10-and-20.html) – Prabath Siriwardena Dec 20 '11 at 18:15

1 Answers1

60

First, the legs refer to the roles involved. A typical OAuth flow involves three parties: the end-user (or resource owner), the client (the third-party application), and the server (or authorization server). So a 3-legged flow involves all three.

The term 2-legged is used to describe an OAuth-authenticated request without the end-user involved. Basically, it is a simple client-server authenticated request in which the client credentials (identifier and secret) are used to calculate a request signature instead of sending the secret in the clear.

Implementation wise, 2-legged request are exactly the same but don't include an access token or access token secret. These two values are basically empty strings.

Eran Hammer
  • 7,036
  • 3
  • 31
  • 23
  • 1
    Thanks for highlighting it out. So if I take an example of Twitter it asks us for two kind of apps: a)desktop clients b)web apps. In case of desktop clients, your app will ask the user to enter the PIN provided by twitter, while in the case of web app, this won't happen. So, does it mean that in case of desktop clients, its 3-legged and in the case of web apps, its 2-legged OAuth? – Aman Alam Aug 05 '11 at 06:00
  • If you are making an API call on behalf of a user, it does not matter what kind of application it is, you are dealing with 3-legged flow. I am not sure if Twitter even provides a 2-legged API (that is, API that has nothing to do with any user, just the client itself). – Eran Hammer Aug 05 '11 at 07:21
  • 12
    Twitter in fact provides 2-legged OAuth API - that is used when I want tweet using my account.. Basically 2-legged OAuth is about direct authentication.. 3-legged OAuth is about delegation.. – Prabath Siriwardena Dec 10 '11 at 15:01