OAuth - What exactly is a resource owner? When is it not an end-user?

smartcaveman picture smartcaveman · Jun 7, 2011 · Viewed 17.3k times · Source

The term "resource owner" is defined in the OAuth v2.0 Specification, as "An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user."

My question is, when is a resource owner not an end-user? I would appreciate explanation through examples that could be real use cases. For example, if the protected resource is a Facebook user's photo, is the resource owner Facebook or the Facebook user who uploaded the photo? Also, why is the resource owner (that is also a person) be considered an end-user if that person is not even a user of the application that is implementing OAuth? And, if the Facebook user is the resource owner, then what role does Facebook play in this exchange?

Answer

Eran Hammer picture Eran Hammer · Jun 21, 2011

Resource owner can be a machine, not just people. There are many cases where no humans are involved in the entire OAuth flow, especially in enterprise setups. At least, that's what I meant when I introduced the term in RFC 5849 (and later in OAuth 2.0).