3-legged oauth
resource owner, client, server.
resource owner 给client访问权限去访问resource owner在server上的resource,但是resource owner和client不共享credentials(用户名和密码)。
1. client在server上注册,获得client credentials(包括consumer key和consumer secret)
2. client从server获得temporay credentials(即request token)
3. client将user-agent定向到server
4. user授权client访问server上的resource
5. server将user-agent定向到client
6. client用temporary credentials(request token)从server换取token credentials(即 access token)
7. client使用access token访问server上的protected resource
2-legged oauth
没有user参与的 server/client形式
1. client在server上注册,获得client credentials(包括consumer key和consumer secret)
2. client使用client credential(和 空的token credential)访问server上的protected resource