Hi guys,

Some more information regarding what my end goal is. My app doesn't require any private user information so I don't need access to any API. What I am looking for is a way to differentiate between someone trying to access our application which is hosted on the url like http://www.betaservername.com vs http://apps.yahoo.com/-yahooappid

I can check for request variables like

yap_consumer_key,
yap_viewer_access_token,
yap_viewer_access_token_secret,
yap_viewer_guid,
yap_owner_guid,
yap_appid,
yap_time,
oauth_signature_method,
oauth_signature,

which exist only from request coming for http://apps.yahoo.com/-yahooappid but that doesn't mean that someone else can't
just generate these parameters and make a request to get through my test

Is there a way for me to verify the oauth_signature or any other piece of information pass to me?

Regards,
Anil

Hi Anil,

OAuth uses encryption to verify the provider and the consumer are who they say they are. This means that all the passed parameters are signed. You can use this to validate that the session came from a Yahoo! Application.

Hope that helps.

Tom
Yahoo! Developer Network

Hi Tom,

Thanks for the clarification. So do I validate the oauth_signature parameter passed into the request? and if so is there a method in Oauth.Net lib that will allow me to do that? if not how do I validate the signature?

Anil

The response would not be considered "valid" if the OAuth signature didn't match. As such any responses you receive from the OAuth library should be valid. Otherwise the library should throw a signature error.

If you have specific code I'd be happy to look and see if I can help.

Tom

Hi Tom,

Thanks for the reply.

As you mentioned I am trying to validate the signature that i am getting as part of the post parameter of the incoming request from yahoo. I using the Oauth lib from http://code.google.com/p/devdefined-tools/wiki/OAuth to do the validation. For some reason it never validates the signature.

OAuthContext context = new OAuthContext
{
ConsumerKey = Request["yap_consumer_key"],
Signature = Request["oauth_signature"],
Token = Request["yap_viewer_access_token"],
TokenSecret = Request["yap_viewer_access_token_secret"],
RawUri = CleanUri(Request.Url),
Cookies = CollectCookies(Request),
Headers = Request.Headers,
RequestMethod = Request.HttpMethod,
SignatureMethod = "HMAC-SHA1"
};

OAuthContextSigner signer = new OAuthContextSigner();
SigningContext signingContext = new SigningContext();
signingContext.ConsumerSecret = "<secret i got from yahoo>";

if (!signer.ValidateSignature(context,signingContext)){
return false;
}else{
return true;
}

I have also noticed that I don't get all the oauth parameters as outlined in the actual spec and that some of these parameter prefixes have been changed from oauth_ to yap_ . I have already made some changes to the library to reflect this. I noticed that I don't received the oauth_version and oauth_nonce parameter in the post request made from yahoo to my application.

I am kind of pulling my hair at this point. Would really appreciate any help i can get

Regards,
Anil

Hey Anil,

I'm trying to find someone with some .net experience to help me out with this. In the meantime could you post the request/response headers and body for a request.

The call being made to your application is signed two-legged, meaning it's only been signed with the consumer key and secret. The access token and access token secret aren't used for the signature generation. Try leaving the access token bits out of the creation of the OAuthContext.

Hey Ryan,

I do receive yap_viewer_access_token and yap_viewer_access_token_secret parameters passed down to our server from yahoo. From what i can remember that these two parameter are required to generate the basesignature. The oauth library that i am using requires both of these parameter. It throws an exception when i don't pass these as it is not able to generate the basesignature.

Anil

Hey Ryan,

Following is original signature , the base signature and the generated signature that my application is producing

original : UddFcbAuY2zjEkKBcM+eb+Zl3KQ=

base: POST&http%3A%2F%2F<hostname>%3A8181%2F&oauth_consumer_key%3D<consumerkey>%26oauth_signature_method%3DHMACSHA1%26view_name%3DYahooFullView

generated : Gn/TRamhgbzLN4P8HwyMY2Hyz4M=

Can you tell me if the base signature is getting generated properly?

Anil