Chapter 3. Yahoo!'s OAuth Authorization Model

Yahoo! Search BOSS Geo uses OAuth as a simple and secure method for validation and access. It's an open authorization model based primarily on existing standards that ensures secure credentials can be provisioned and verified by different software platforms. For detailed information on Yahoo!'s implementation of the OAuth standard, see the documentation OAuth Authorization Model on the Yahoo! Developer Network.

Using OAuth with BOSS Geo

OAuth allows you and visitors to your web page, to securely access the Yahoo! Geo content. OAuth provides secure access to this content by using your BOSS application ID and the Yahoo! API key to verify your account, access privileges, and allow for correct billing from Yahoo!

Authentication

Authentication for BOSS Geo queries requires OAuth information in the HTTP header OR through parameters in the GET request. There are six elements that are required for authorization:

  1. oauth_version=1.0 – The standard of OAuth supported by BOSS Geo.
  2. oauth_timestamp= – The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal to or greater than the timestamp used in previous requests. The timestamp can be reused for up to 5 minutes. Important: After 5 minutes a fresh timestamp must be supplied.
  3. oauth_nonce – is a random string, uniquely generated for all requests for a specific timestamp. This helps verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel (such as HTTP).
  4. oauth_consumer_key= – obtained from YDN during the BOSS project registration process. This is unique to the developer. Please follow the directions on the displayed key page and copy the entire key from YDN. If you do not copy the entire key, this results in a "Consumer Key rejected" error.
  5. oauth_signature_method=HMAC-SHA1 – (specific algorithm used for BOSS OAuth calls).
  6. oauth_signature – can be generated by an OAuth library. A list of supported OAuth libraries is available here: http://oauth.net/code. Over a dozen languages are supported.

Example of using OAuth in HTTP Header:

Authorization: OAuth

Using OAuth with GET parameters:

Add key="value" from the authorization header into GET parameters as &key=value in line with the other API parameters.

More details on OAuth:

Table of Contents