Is OAuth a "two-way" street?

What I mean is, let's say I have two organizations ACME and Boring Corp.

A user at ACME wants to login to Boring Corp. to access some content that will be viewed through Boring Corps website. They go to Boring.com and it redire开发者_如何学Ccts them to ACME to login. Once verified, they are redirected back to Boring Corp to do XYZ and access ABC.

HOWEVER, They also want to at any given time view information about XYZ and ABC from Boring Corp. from the ACME website page itself. So they would essentially be 'giving ACME corp permission to access data they own on Boring Corp BUT their login credentials are entirely stored on and in ACME.

Not only do they log into Boring Corp. website via ACME credentials and do things on the Boring Corp. site, but they also request data back from the Boring Corp. site to be viewed on the ACME site. All from the same ACME login.

Breaking it down further...

• User accounts are stored at ACME website
• User accesses Boring Corp, is redirected to ACME to login, and returned back to Boring Corp to do various Actions
• Actions on Boring Corp produce Data stored on Boring Corp website

later in the day...

• User wants to view some of the Data stored on Boring Corp website that was created from the Actions he took there
• So he logs into ACME website which pulls down the Data from Boring Corp for this user, so he can view it on the ACME site

So he is logging into Boring Corp via ACME login to do Actions at Boring Corp, and then later going to view Data he owns at Boring Corp (Data created from Actions taken there) from the ACME website as well. All while using the same ACME login.

Hope that makes it more clear.

Is this an OAuth appropriate situation?

I think you are confusing two things: authentication and authorization. Authentication has to do with credentials, authorization with access permissions. OAuth itself handles only authorization, so I assume you're using OpenID or something to perform the authentication phase.

In this situation, you have:

1. authentication service at ACME;
2. authorization service at Boring Corp.

There is no reason for these to be incompatible, but these are two different services: access to resources provided by Boring Corp's is separate from how Boring Corp authenticates you. In this case, they're also running on different machines/networks.

So, to answer you question "is OAuth a two-way street?": no it isn't. However, you may implement what you're trying to achieve. And it might well be an appropriate solution, but you've proposed some solution without any description of the requirements, so we can't judge that bit.

in OAuth there are 3 points involved, "the user, the consumer and the provider... easy example: facebook speaking... the user would be us (you, me and the mortals...) the consumer: any app (from a different development company other than facebook, third party apps) provider: facebook

in my company.. the user: (the mortals... you and me) the consumer: an app developed by my company provider: my company

OAuth was developed so that the third party apps didn't have access to the whole base company database, only certain information about the users regarding the provider DB.

Thats why it generates different types of token so that the third party apps dont get your password or mails or any stuff you dont whant that people outside facebook to se, that token is the one who authenticates the app to have access to certain info regarding the user.

when it comes to my company, im the provider and the consumer, my company database access is only for the company development team. nobody outside my company has access to de DB.

in conclusion: OAuth is the greatest auth protocol ever, but... does your company really needs it?? is there someone outside your company using your resources?? is there a third party development? thats the real question...

to make my point clearer, check out how many providers are compared to clients, every tutorial has always the same few providers: Facebook,twitter,google,yahoo etc...

check out how many clients are?? there must be at least a million or a billion or a number we cant pronounce (every app developed for Facebook twitter or google has strictly instructions to be authenticated trough OAuth

thats why im not using OAuth for the near present... i think you shouldnt....