Introduction
What is OAuth?
OAuth is an open protocol enabling an application to access end user information from a Web service when the application is authorized by the end user. The end user's information is securely transferred without revealing the identity of the user. For example, end users who want to run a photo sharing application on their profile pages need to allow the social network site to share personal data with that application. OAuth allows these end users to anonymously grant the photo sharing application access to their profile information.
Who Needs OAuth?
Many new Yahoo! Web services that provide access to private user data use OAuth. You need to use OAuth if you are planning on using any of the Social Directory APIs or the MyBlogLog API.
Why OAuth?
Many proprietary Web authorization protocols have emerged over the years: Google's AuthSub, AOL's OpenAuth, Yahoo's BBAuth, Upcoming API, Amazon Web Services API, etc. OAuth integrates the commonalities and adopts the best practices of these other Web authorization protocols into a single open standard.
Other reasons for using OAuth authorization:
- Compatible with existing authorization methods
- Flexibility to adjust to security needs of different sites
- Extensible through different signing algorithms
- Designed to work with mobile devices and desktop applications
Private Data v. Public Data
Public Data
When creating applications that only use public data, you do not need authorization from the end User. These types of applications are called two-legged in OAuth terminology because the authorization occurs between two parties: an application (the Consumer) and the public data source (the Service Provider). The public data source can be a Web service or Web feeds such as RSS or Atom feeds. Most Web services offering public data require two-legged authorization, whereby an application and the Web service exchange keys before public data can be transferred. Public data from RSS or Atom feeds, however, do not require any authorization.
Note
While this guide discusses the three-legged method for OAuth authorization, you may instead use the two-legged method with some API requests because you aren't requesting access to private data.
The key difference in two-legged OAuth is that you don't need a Request Token or an Access Token, and so you skip Steps 2-5 in the OAuth Authorization Flow.
An example of a two-legged application would be one that gets public data using the Yahoo! Query Language (YQL). The application exchanges a Consumer Key and Shared Secret with YQL, but no end User authorization is required.
Private Data
To access private data, your application is required to get the end User's authorization. An application that requires User authorization is called three-legged in OAuth terminology because the authorization occurs between three parties: the end user (User), the application (the Consumer), and the private data source (the Service Provider). The private data source for applications using the PHP SDK are the Social Directory APIs. In a three-legged authorized application using the Social Directory APIs, end Users choose whether to give your application access to their Yahoo! Social data.
The table below provides some general rules for the type of authorization needed for different types of data available on the Web. Some Web services or feeds may not follow these guidelines.
Table 1. General Guide to Authorization for Different Web data
| Type of Data | Data Source | Privacy Level | Type of Authorization Needed | Examples |
|---|---|---|---|---|
| News and Blog feeds (RSS, Atom, etc.) | Web feeds | Public | None | NY Times Small Business RSS Feed (http://www.nytimes.com/services/xml/rss/nyt/SmallBusiness.xml), Rob Weir's Blog Atom Feed (http://www.robweir.com/blog/atom.xml) |
| YQL Public Data | Web services | Public | two-legged authorization | weather forecast search using YQL |
| Private User Data | Web services | Private | three-legged authorization | private User data from the Yahoo! Social APIs, such as Updates and Social Directory |