Two-legged OAuth flow

Two-legged OAuth processing involves three parties: OAuth client, authorization server, and resource server. The OAuth client can be either the resource owner or the trusted entity that knows about the credentials of the resource owner. In other words, two-legged OAuth processing does not involve additional resource owner interaction.

Two-legged OAuth processing requires a grant type of resource owner password credential or client credentials.

The typical flow for two-legged OAuth processing involves the following activities:

  1. An OAuth client initiates a request with an authorization server and receives an access token.
  2. The OAuth client uses the access token to access protected resources on the resource server.
The following figure shows the two-legged OAuth processing flow.
Figure 1. Two-legged OAuth processing flow
Illustration showing previously described flow.