2-legged vs. 3-legged OAuth

Published on and tagged with oauth

From emails I receive it seems like there is a bit of confusion about what the terms 2-legged OAuth and 3-legged OAuth mean. I hope I can clear up this confusion with this article (and don’t contribute more to the confusion…).

In short, they describe two different usage scenarios of OAuth involving two respectively three parties.

3-legged OAuth describes the scenario for which OAuth was originally developed: a resource owner wants to give a client access to a server without sharing his credentials (i.e. username/password). A typical example is a user (resource owner) who wants to give a third-party application (client) access to his Twitter account (server).

On a conceptual level it works in the following way:

  • Client has signed up to the server and got his client credentials (also known as “consumer key and secret”) ahead of time
  • User wants to give the client access to his protected resources on the server
  • Client retrieves the temporary credentials (also known as “request token”) from the server
  • Client redirects the resource owner to the server
  • Resource owner grants the client access to his protected resources on the server
  • Server redirects the user back to the client
  • Client uses the temporary credentials to retrieve the token credentials (also known as “access token”) from the server
  • Client uses the token credentials to access the protected resources on the server

2-legged OAuth, on the other hand, describes a typical client-server scenario, without any user involvement. An example for such a scenario could be a local Twitter client application accessing your Twitter account.

On a conceptual level 2-legged OAuth simply consists of the first and last steps of 3-legged OAuth:

  • Client has signed up to the server and got his client credentials (also known as “consumer key and secret”)
  • Client uses his client credentials (and empty token credentials) to access the protected resources on the server

Above I used Twitter as an example, though strictly speaking, they don’t use 2-legged OAuth, but a variant of it. They not only provide the client credentials but also the token credentials (see also Using one access token with OAuth).

As you have seen, 2-legged OAuth is nothing new, it is simply using OAuth in a different scenario than it was designed for. And hence you can use (almost?) all existing OAuth libraries for 2-legged OAuth, too.

15 comments baked

  • Lennaert Ekelmans

    A good example of 2-legged oAuth is the Google Apps API.

    In our business software we’re using the 2-legged oAuth API from Google Apps so all employers don’t have to give permission like in the 3-legged oAuth.

    The only thing we use is the `master` key/secret from the Administrator account so we have access to all data to Calendar/Mail feed/contacts..

  • Tweets that mention 2-legged vs. 3-legged OAuth - cakebaker -- Topsy.com

    […] This post was mentioned on Twitter by Planet CakePHP. Planet CakePHP said: #cakephp 2-legged vs. 3-legged OAuth http://bit.ly/dX4kG9 […]

  • cakebaker

    @Lennaert: Thanks for sharing this example!

  • Dave

    Thanks for writing, this seems a very concise and effective description.

    As a newcomer to this, I’m confused on who exactly are the principals in 3 legged OAuth.

    In particular:
    – how is “user” distinguished from “client”? The user is a human, and the client is the software they are using directly? I guess not, as “the server redirects the user back to the client”
    – is the server in “signed up to the server” necessarily the same server as the one containing the “protected resources”, or can the be different servers?

    Thanks!

  • cakebaker

    @Dave: Thanks for your questions.

    Yes, in the article “user” is human, but in the spec a “user” resp. “resource owner” is more broadly defined as: “An entity capable of accessing and controlling protected resources by using credentials to authenticate with the server.”

    And “client” is a web application in the article. This term, too, is more broadly defined in the spec as: “An HTTP client capable of making OAuth-authenticated requests.”

    To better understand “the server redirects the user back to the client”, we can use a real scenario: “Twitter redirects the user (or more precisely: the user’s browser) back to TwitPic”.

    Yes, the server in “signed up to the server” and the server containing the protected resources are conceptually the same. For example: you sign up to Twitter and you access the tweets (the protected resources) via Twitter’s API. In both cases the “server” is Twitter.

    I hope this answers your questions.

  • Abhay

    That is seriously very well ‘baked’.

    But still, I am rather confused on how 2LO works.

    I have a web app. I would like my users to integrate it with their Google Apps Domain, So that on their behalf, my app can access/modify/create/delete their resources on Google Apps server.
    So if my user says show me my docs, i will show him/her docs from his/her Google apps docs as well as any other that are local to my app.

    Who is consumer here? whose secret key is needed?
    is 2LO the right way in this scene?

    Can someone please elaborate?

    Thanks

  • cakebaker

    @Abhay: Thanks for your question!

    In the scenario you described your application is the consumer, and you have to use the secret key you got from Google.

    If your users have Google Apps for Business and Education accounts, and the APIs you want to use support 2LO, then I would use 2LO. Otherwise, you have to use the traditional 3LO approach. See also Google’s OAuth 1.0 for web applications.

    Maybe it helps to build a quick prototype to see whether 2LO works in your scenario.

    I hope this answers your questions.

  • Abhay

    Thanks for the reply.

    Well, i did build a prototype and found that if 2LO is used, some of the resources are accessed in read-only mode. So i had to go with 3LO.

    I am also opting for provisioning. Therein lies my next doubt.

    Google Apps admin (only) are allowed to create users in their domain. But non-admin users are also able to grant access to Provisioning API, if i am using 3LO.
    Am i missing something here? I mean, shouldn’t be non-admin users restricted from granting my app such an access? or should they not be? What should happen in such case?

    Also i am not clear if i am asking for grant using 3LO, only and only for Provisioning access, to a non-admin user, what should ideally happen? I don”t have the luxury of having multiple domains/accounts to test this with. Thats why the question. Can you please help?

  • cakebaker

    @Abhay: I’m sorry, I never used Google Apps and so I can’t answer your questions…

  • A Note on Providing OAuth for Your Mobile App « iamcam

    […] to use a two-legged OAuth implementation – username & password plus some secret keys (3-legged vs 2-legged explanation). This is what your users will expect when logging into your app & service. Before you can […]

  • Gail Houston

    Hello, I have a question about doing two-legged OAuth authentification. I implemented a rest API and OAUTH 2 legs in the server side. I want to sign my request using a Java library, so I tried signpost. I have a valid consumerKey and consumerSecret, but when I ran my test I get a 401 response code whith the following message : Authorization Required. Here is a sample code of my client :

    private OAuthConsumer consumer; 
    public LiveClient(String consumerKey, String consumerSecret) { 
      this.consumer = new DefaultOAuthConsumer(consumerKey, consumerSecret); 
      this.consumer.setTokenWithSecret(null, "");
      this.consumer.setMessageSigner(new HmacSha1MessageSigner());
      this.consumer.setTokenWithSecret(consumerKey, consumerSecret);
    } 
    
    public void sendRequest(String strUrl) throws MalformedURLException, OAuthMessageSignerException, OAuthExpectationFailedException, OAuthCommunicationException, IOException { 
      URL url = new URL(strUrl); 
      HttpURLConnection request = (HttpURLConnection) url.openConnection(); // sign the request (consumer is a Signpost DefaultOAuthConsumer) 
      consumer.sign(request); // send the request request.connect(); 
      ..... 
    }

    What I’m doing wrong? Any Ideas please? Regards.

  • cakebaker

    @Gail: You could try to use the following statement:

    this.consumer.setSendEmptyTokens(true);
    

    Hope this helps!

  • Tom

    I have a question as well. I’m working in a software service provider industry with many clients. We are trying to implement, OAuth 2.0. Questions that I have is, if the company that we are working with, our client wants to access our API resources. Should we become the consumer and the service provider?

  • cakebaker

    @Tom: I’m not sure I understand your question correctly. But your company is only the service provider, offering an API. And your client will be the consumer, accessing your API.

  • OAuth 2.0 소개 | Chanlee's Weblog

    […] 클라이언트 신임장 플로우 – 클라이언트는 억세스 토큰을 획득하기 위해 신임장을 사용합니다. 이 플로우는 2-legged 시나리오에 대해 지원합니다. (http://cakebaker.42dh.com/2011/01/10/2-legged-vs-3-legged-oauth/ 참고.) […]

  • Using Google Sheet As Web App Data Source | Matt Develops

    […] To connect my application to Google’s API, I need to use two-legged authorisation. Three-legged authorisation is used for applications with a front-end, to allow the user’s to grant access to data from their own account. My web service is a RESTful API with no front-end and only needs to access my own data, so authorisation can be achieved by reusing the same key. A more detailed description of two- and three- legged authorisation can be found here. […]

  • Google

    Google

    That is the finish of this post. Right here you’ll uncover some web sites that we consider you’ll appreciate, just click the hyperlinks.

  • Google

    Google

    Wonderful story, reckoned we could combine several unrelated information, nonetheless seriously worth taking a look, whoa did one particular understand about Mid East has got far more problerms as well.

  • Laverdaddesnuda.com

    Laverdaddesnuda.com

    […]that will be the end of this article. Right here you will discover some sites that we assume you will appreciate, just click the hyperlinks over[…]

  • tubidy

    tubidy

    […]Wonderful story, reckoned we could combine a handful of unrelated information, nevertheless really worth taking a search, whoa did a single master about Mid East has got more problerms too […]

  • سرور مجازی

    سرور مجازی

    […]the time to read or visit the subject material or web sites we have linked to below the[…]

  • php user authentication script

    php user authentication script

    […]Sites of interest we’ve a link to[…]

  • resell rights ebooks

    resell rights ebooks

    […]although internet websites we backlink to below are considerably not related to ours, we really feel they are in fact worth a go via, so have a look[…]

  • Little Italy Suppe von little Lunch

    Little Italy Suppe von little Lunch

    […]Wonderful story, reckoned we could combine some unrelated information, nevertheless seriously worth taking a appear, whoa did one master about Mid East has got more problerms as well […]

  • Yahweh-Jehovah

    Yahweh-Jehovah

    […]that would be the finish of this report. Right here you’ll discover some web sites that we feel you’ll value, just click the links over[…]

  • istorii

    istorii

    […]Here is a superb Blog You may Find Fascinating that we Encourage You[…]

  • iPhone 7 Charger

    iPhone 7 Charger

    […]very handful of internet sites that happen to become comprehensive beneath, from our point of view are undoubtedly properly worth checking out[…]

  • thai netflix

    thai netflix

    […]Here is a great Weblog You might Find Interesting that we Encourage You[…]

  • Iphone charger

    Iphone charger

    […]that is the finish of this report. Here you will obtain some web pages that we think you’ll value, just click the links over[…]

  • Tecnologia

    Tecnologia

    […]below you will come across the link to some web pages that we assume you’ll want to visit[…]

  • traveling packages

    traveling packages

    […]check below, are some entirely unrelated sites to ours, however, they are most trustworthy sources that we use[…]

  • free download for windows pc

    free download for windows pc

    […]Here are a few of the internet sites we recommend for our visitors[…]

  • laptop app

    laptop app

    […]just beneath, are a lot of totally not connected web pages to ours, nonetheless, they are surely worth going over[…]

  • free download for windows 8

    free download for windows 8

    […]Every when inside a even though we select blogs that we study. Listed beneath are the most up-to-date web-sites that we pick out […]

  • app pc download for windows

    app pc download for windows

    […]check below, are some entirely unrelated internet sites to ours, on the other hand, they’re most trustworthy sources that we use[…]

  • apps download for windows 8

    apps download for windows 8

    […]Every the moment in a whilst we choose blogs that we study. Listed below are the most current internet sites that we decide on […]

  • free full download for windows

    free full download for windows

    […]The information and facts mentioned within the write-up are a number of the most beneficial obtainable […]

  • download full version pc games

    download full version pc games

    […]just beneath, are various entirely not connected internet sites to ours, nonetheless, they’re certainly worth going over[…]

  • full version pc games download

    full version pc games download

    […]Here is a superb Weblog You might Obtain Intriguing that we Encourage You[…]

  • pc app for windows 10

    pc app for windows 10

    […]below you’ll discover the link to some web-sites that we feel you ought to visit[…]

  • MILF Porn Online

    MILF Porn Online

    […]check below, are some totally unrelated web sites to ours, however, they are most trustworthy sources that we use[…]

  • segodnya prazdnik

    segodnya prazdnik

    […]check below, are some totally unrelated websites to ours, on the other hand, they are most trustworthy sources that we use[…]

  • free full download for windows pc

    free full download for windows pc

    […]although web sites we backlink to beneath are considerably not connected to ours, we really feel they’re essentially really worth a go as a result of, so possess a look[…]

  • free app for pclaptop app free download

    free app for pclaptop app free download

    […]check beneath, are some completely unrelated sites to ours, however, they are most trustworthy sources that we use[…]

  • masaje domicilio barcelona

    masaje domicilio barcelona

    […]we prefer to honor many other world-wide-web web pages around the net, even if they aren’t linked to us, by linking to them. Below are some webpages really worth checking out[…]

  • new free games

    new free games

    […]we came across a cool web site that you may get pleasure from. Take a look should you want[…]

  • bitcoin shopping

    bitcoin shopping

    […]Sites of interest we have a link to[…]

  • japanese fukui datumou

    japanese fukui datumou

    […]Sites of interest we have a link to[…]

  • japanese fukui datumou

    japanese fukui datumou

    […]here are some links to web sites that we link to since we assume they’re worth visiting[…]

  • Computer monitor sell

    Computer monitor sell

    […]please pay a visit to the web-sites we follow, like this 1, as it represents our picks in the web[…]

© daniel hofstetter. Licensed under a Creative Commons License