php+oauth: what's the difference between 3-legged and 2-legged auth?

Question

I'm looking at oauth+php example (http://code.google.com/p/oauth-php/wiki/ConsumerHowTo#Two-legged_OAuth). There's two different schemas to get authorized: 3-legged and 2-legged. What's the difference? When should I use each of them?

Thank you in advance!

Answer 1

The referenced URL provides a decent overview.

In Google land:

• 2-legged OAuth (2LO) is typically used for Google Apps. In this scenario, the domain administrator has can pre-approve authorization for an application to access user data on the domain (example: DocuSign can access Google Docs on behalf of all users on the example.com domain). The administrator does this via the Google Apps control panel or by installing the application from the Google Apps Marketplace. Since the approval has happened outside of the OAuth flow-- the application simply needs to prove its' identity, and then the authorization for data access is verified by the API server when a request is made. Typically the application indicates the user on behalf it's making the request using the ?xoauth_requestor_id=user@example.com query parameter in the API calls.
• 3-legged OAuth (3LO) is when you're directly prompting an end-user for authorization at the time authorization is required. This is the "normal" flow.

Answer 2

From the examples I guess the 2-legged auth is just simpler and allows You to call only concrete method the server provides thus have to auth every time a method call should be done. While with 3-legged auth You gain access to all servers possible, then select concrete one and then You can call any methods You want once You are authenticated and authorized...