OAuth is an open standard authorization protocol that allows third parties to access user data without the need to know a user's password. Instead of users sharing their passwords directly an application, OAuth acts as a "valet key" that applications use to access a user's data and act on their behalf.
With Google Apps for Business and Education, administrators can use two-legged OAuth for domain-wide delegation of authority. An application that has the OAuth consumer key and secret (roughly equivalent to a role account username and password) is allowed to act as any user in the domain when accessing Google Data APIs. Unlike three-legged OAuth, users do not need to give consent on an individual basis, as this decision is made on their behalf by the administrator. Administrators can revoke the key, change the secret, and control which APIs accept domain-wide delegation.
Two key groups can use two-legged OAuth, and the access controls applied may be very different in each case.Google Apps domain administrators
Administrators can build scripts and custom applications that manage the user data for their domain through Google Data APIs. For example, an administrator can use the Google Documents Data List feed and two-legged OAuth to configure every user in their domain with a Google Drive folder named "Human Resources" that's populated with common employee forms. Some Google Apps applications, such as the Google Apps Connector for BlackBerry Enterprise Server, also require OAuth to be enabled.
To learn about managing the key and secret that's associated with your Google Apps domain, and granting global access control, see Managing the OAuth key and secret.
Vendors may offer applications that use two-legged OAuth to integrate with Google Apps. If the vendor has registered their own consumer key and secret with Google, you can grant access to the vendor's client application to a limited set of Google resources on the Manage API client page.
To learn about setting up third-party or internal access to a specific set of Google Data APIs, see Managing Client API access.