Google Site Search


Monday, March 21, 2011

Does OAuth need more legs?

OAuth is currently being worked out at the IETF. One of the concepts that is prevalent right now in OAuth is the concept of "legs". I am glad that I am not the only one who thinks that "legs" is a bad choice for describing the number of parties involved in an exchange.

Refer to

Basically, a "leg" involves one party.

So, "two legged oauth" involves two parties. As an example, if two end points (without user intervention) agree on an exchange, then it is two legged. If the endpoints are trusted, from the same entity or within corporate firewall, then 2-legged oauth makes sense.

Now, if we bring in the "user" to the mix, then we increase a "leg". That is, we have a 3-legged oauth. An user approves another service such as twitter client (leg) to get/set/operate his account in a 3rd service such as twitter (leg).

In my view, "party" is the right choice as it is very intuitive to have "2 party oauth", "3 party oauth".

I definitely want to hear your opinion or any corrections in my understanding of OAuth.

1 comment:

Phil Hunt said...

Anil, you may want to take a look at OAuth Extended Flows.

It has the new terminology based on that discussion you referenced.