Three legged doesn't imply a specific type of app like browser based. Three-legged means that the application acts directly on behalf of the user. There are three legged scenarios
- Application (Client),
- User (resource owner) and
- API (Service Provider).
In two-legged scenarios the user has no idea. Typically, this relates to application-to-application solutions. The application (client) acts on its own behalf. So, in a two-legged OAuth, there is:
- Application (Client),
- API (Service Provider)
The only difference is that the 2-legged approach does not require a user authorization step.