High Level OAuth Overview
OAuth is a way for applications to authenticate with one-another. In essence a client application encrypts a string of values and passes that encrypted string, along with the values it used to encrypt it (except one, your secret key), to theserver. The server then uses the values you sent across to look up your secret key and attempt to generate the sameencrypted string you did. The server then compares the two encrypted stringstogether. If they match, it’s a success. If not, it’s a failure.
The difference between 3-Legged OAuth and 2-Legged OAuth is that in the 3-Legged variant, the client first passes some credentials to the server and gets an access token back if authentication is successful. Then this token is passed along in subsequent requests. This is commonly called ‘the dance’ in OAuth developer circles. When you authenticate with Netflix through various platforms (AppleTV, iPhone, Netflix.com), you do a 3-Legged OAuth dance. This allows for users, applications, and authentication to be abstracted out into separate tiers.
Some other types of applications may be better suited for the authentication and message passing to happen in 1 request and 1 requestonly. This is where 2-legged comes in. In 2-legged OAuth you pass the encrypted string, the values used forencryption, and the message payload in 1 GET or POST. If it is rejected, the message fails. If it’s accepted then the message is processed. This particular app that I was working on testing was a central logging system. Every message was a log event. There was no time (or functional need) for a three-way handshake in this app and also no notion of a maintained state. 2-Legged OAuth cuts out the middleman. If authentication is successful the message is processed, no dancing around.
Click here to dive deeper
About the AuthorDan Bartow
Dan is the principal product designer at SOASTA, who is responsible for research and development activities across the award winning SOASTA product portfolio.@PerfDan