Chapter 2. Yahoo!'s OAuth Authorization Model
Yahoo! Search BOSS API uses OAuth as a simple and secure way method
for validation and access. It's an open authorization model based primarily
on existing standards that ensures secure credentials can be provisioned and
verified by different software platforms. For detailed information on
Yahoo!'s implementation of the OAuth standard, see the documentation OAuth Authorization Model on
the Yahoo! Developer Network.
Using OAuth with BOSS API
OAuth allows you, and visitors to your web page, to securely access
the Yahoo! Web, Image, and News content. As a publisher, OAuth provides
secure access to this content is using your BOSS API application ID and
the Yahoo! API key to verify your authorized access privileges and allow
for correct billing from Yahoo!
Authentication for BOSS API queries requires OAuth information in
the HTTP header OR through parameters in the GET request. There are six
elements that are required for authorization:
- oauth_version=1.0 – The standard of OAuth supported by BOSS
- oauth_timestamp= – The timestamp is expressed in the number of
seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST
be a positive integer and MUST be equal to or greater than the
timestamp used in previous requests. The timestamp can be reused for
up to 5 minutes. Important: After 5
minutes a fresh timestamp must be supplied.
- oauth_nonce – is a random string, uniquely generated for all
requests for a specific timestamp. This helps verify that a request
has never been made before and helps prevent replay attacks when
requests are made over a non-secure channel (such as HTTP).
- oauth_consumer_key= – obtained from YDN during the BOSS API
project registration process. This is unique to the developer.
Please follow the directions on the displayed key page and copy the
entire key from YDN. If you do not
copy the entire key, this results in a "Consumer Key rejected" error.
- oauth_signature_method=HMAC-SHA1 – (specific algorithm used
for BOSS API OAuth calls).
- oauth_signature – can be generated by an OAuth library. A list
of supported OAuth libraries is available here:
http://oauth.net/code. Over a dozen languages are supported.
Example of using OAuth in HTTP Header:
Using OAuth with GET parameters:
key="value" from authorization header into GET
parameters as &key=value in line with the other API