Real world scenarios for 2-legged OAuth

Question

What are some real-world scenarios for 2-legged OAuth? Is it only applicable for mobile/desktop apps?

Answer 1

2 legged auth is for server to server authentication on behalf of the application with no end-users involved.

For example, your application on Google AppEngine makes a request to Datastore (Database from Google Cloud). This uses 2 legged auth with JWTs.

Instead, if your application makes a request on behalf of the end user to read the user's Google Drive files, 3 legged auth is used.

Answer 2

2-legged OAuth (aka. the Client Credentials flow in OAuth 2.0) is useful when a client wants to access certain resources without disclosing its primary client credentials to the resource API. The client would authenticate to an Authorization Server to get a derived token that it can present to the resource API to get access to the protected resources.

Getting the token and presenting it is done in a standardized and interoperable way without pestering the resource API with different authentication mechanisms. It also makes revocation of access easier because that is controlled in a centralized fashion on the Authorization Server, independent of the client's primary credentials. See also: How does 2-legged oauth work in OAuth 2.0?

It is applicable across mobile, desktop and web applications although keeping a client secret in mobile and desktop applications is arguably hard so it is most suitable in server-side environments.

A real world scenario is a batch script that fetches data from a remote API and processes it.