Chapter 7. Scopes (Permissions)

As mentioned earlier, most Yahoo! User data is protected by Scopes (permissions) in addition to OAuth authorization.

A Scope is a permission setting that specifies access to a Yahoo! User's non-public data.

Examples of scopes for the Yahoo! Social APIs are:

  • Read/Write Yahoo! Updates
  • Read (Shared) Yahoo! Profiles
  • Read Yahoo! Contacts

You must specify the Scopes needed by your application when you register the application on the Yahoo! Developer Network (YDN). Later on, the end User must give the application permission to access his or her data. A few other steps are necessary, best explained by an example.

Suppose that your application needs to call the HTTP GET operation on a Usercard Profile. Here is the sequence of events that involve Scopes for this example:

  1. In the Usercard Profile section of the Yahoo! Social API Reference, note the entry under the Scopes Required section:

    GET: Read (Shared) Yahoo! Profiles

  2. Register your application by going to the My Projects page of YDN and click New Project.
  3. While registering, ensure that you choose the "Read" permission for "Yahoo! Profiles".
  4. Behind the scenes, the Scopes you select for your application are embedded in the Consumer Key.
  5. In your application source code, specify the Consumer Key.
  6. When the end User installs your application, the Yahoo! page appears, prompting the User to authorize access to the User's Yahoo! Profile.
  7. Later on, the end User runs your application, which calls an HTTP GET operation on the Usercard Profile.
  8. Before the GET operation proceeds, Yahoo! OAuth verifies that the end User has authorized access to the Yahoo! Profile data.
  9. If the GET operation encounters no other errors, it fetches the data and the HTTP response code is 200 OK.
  10. If the end User had not authorized access, the response code would be an error: 401 Unauthorized.

Table of Contents