Hi Phil, I actually think this rephrasing of the rule of thumb is not really helpful based on how the word "legs" has been used in my experience of discussing and teaching OAuth. I actually tried to be pretty explicit about this topic in a talk I did at Google I/O last year because we have lots of questions about 2 versus 3 legged OAuth since the launch of the Google Apps Marketplace. http://www.youtube.com/watch?v=0L_dEOjhADQ. I speak about 17mins in.
We have traditionally used the terms two legged OAuth and three legged OAuth to describe the trust relationships involved in the grant. I think your interpretation is very different and not a common way to use the terms 'legs' in relation to OAuth and will simply confuse people. 2LO involves a client authenticating itself to a server. 3LO involves those two previous actors, plus a user/resource owner who delegates permissions to the client. In everyday use, 2LO is 'server to server' auth with out of band permissions and user identity and 3LO involves an individual grant where the user's grant is identified by a token given to the client and passed to the server on access. Another way to look at it is 2LO is just HTTP request signing. davep On Mon, Feb 21, 2011 at 4:45 PM, Phil Hunt <phil.h...@oracle.com> wrote: > FYI. I published a blog post with a flow-chart explaining the legs of OAuth. > http://independentidentity.blogspot.com/2011/02/does-oauth-have-legs.html > > Please let me know if any corrections should be made, or for that matter, any > improvements! > > Phil > phil.h...@oracle.com > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
