La risposta è sì. Perché? Perché è ciò che OAuth intende soddisfare: delega di un accesso (sicuro) a un utente (B) per una risorsa per conto di un proprietario di risorse (A).
Penso che la descrizione in questa bozza sarà abbastanza semplice a te:
(A) The client requests authorization from the resource owner.
The authorization request can be made directly to the resource owner
(as shown), or preferably indirectly via an intermediary such as
an authorization server.
(B) The client receives an authorization grant which represents the
authorization provided by the resource owner. The authorization
grant type depends on the method used by the client and
supported by the authorization server to obtain it.
(C) The client requests an access token by authenticating with the
authorization server and presenting the authorization grant.
(D) The authorization server authenticates the client and validates
the authorization grant, and if valid issues an access token.
(E) The client requests the protected resource from the resource
server and authenticates by presenting the access token.
(F) The resource server validates the access token, and if valid,
serves the request.