OAuth

Prev — Get a Request Token (get_request_token)

Exchange the Request Token and OAuth Verifier for an Access Token (get_token) — Next

Get User Authorization (request_auth)

URL:

https://api.login.yahoo.com/oauth/v2/request_auth

Supported Methods:

GET, POST

After getting the Request Token from Yahoo!, your application presents to your Users a Yahoo! authorization page (OAuth Core 1.0 Spec, Section 6.2) asking them to give permission to your application to access their data.

The authorization page will only ask for permission to a limited amount of User data, based on the access scopes you specified during the initial registration process.

The following is an example of a authorization URL that includes the Request Token:

https://api.login.yahoo.com/oauth/v2/request_auth?oauth_token=j5nyp6

Table 4.3. Request Auth (request_auth) Request Parameters

Request Parameter	Description
`oauth_token`	The Request Token that Yahoo! returns as a response to the `request_token` call. The Request Token is required during the User authorization process.

The following parameters are appended to the callback URL, if one is provided in Step 2:

Table 4.4. Request Auth (request_auth) Callback URL Parameters

Callback URL Parameter Description

oauth_token The Request Token that Yahoo! returns as a response to the get_request_token call. It is appended to the authorization page URL. The Request Token is required during the User authorization process.

oauth_verifier The OAuth Verifier is a verification code tied to the Request Token. The OAuth Verifier and Request Token both must be provided in exchange for an Access Token. They also both expire together. If the oauth_callback is set to oobin Step 2, the OAuth Verifier is not included as a response parameter and is instead presented once the User grants authorization to your application. Yahoo! instructs the User to enter the OAuth Verifier code in your application. Your application must ask for this OAuth Verifier code to ensure OAuth authorization can proceed. The OAuth Verifier is intentionally short so that a User can type it manually.

Callback URL Parameter	Description
`oauth_token`	The Request Token that Yahoo! returns as a response to the `get_request_token` call. It is appended to the authorization page URL. The Request Token is required during the User authorization process.
`oauth_verifier`	The OAuth Verifier is a verification code tied to the Request Token. The OAuth Verifier and Request Token both must be provided in exchange for an Access Token. They also both expire together. If the `oauth_callback` is set to `oob`in Step 2, the OAuth Verifier is not included as a response parameter and is instead presented once the User grants authorization to your application. Yahoo! instructs the User to enter the OAuth Verifier code in your application. Your application must ask for this OAuth Verifier code to ensure OAuth authorization can proceed. The OAuth Verifier is intentionally short so that a User can type it manually.

Presenting the Yahoo! Authorization Page

You have two methods for presenting the Yahoo! authorization page:

Present the Yahoo! authorization page through a browser pop-up window. (Preferred Method)
When using the pop-up window method, you must follow these guidelines:
- Your application must open a pop-up window to show the URL provided in xoauth_request_auth_url.
- The pop-up must show the page URL. This is to ensure that Users know they are not being spoofed.
- Once the User has authorized access and Yahoo! redirects the pop-up window to the URL specified in oauth_callback, passing the OAuth Verifier (oauth_verifier).
- After Yahoo! performs the redirect within the pop-up window, your application must exchange the OAuth Verifer along with the Request Token for an Access Token.
- Once you have received an Access Token from Yahoo!, you must close the pop-up window.
The following example uses the Yahoo! Social API PHP SDK to open a pop-up window, listen for an authorization, close the popup, and refresh the originating page:

<?php // Include the YOS library. require("Yahoo.inc"); // Make sure you obtain application keys before continuing by visiting: // https://developer.yahoo.com/dashboard/createKey.html // Your consumer key goes here. define("CONSUMER_KEY",""); // Your consumer key secret goes here. define("CONSUMER_SECRET",""); // Your application ID goes here. define("APP_ID",""); if(array_key_exists("logout", $_GET)) { // if a session exists and the logout flag is detected // clear the session tokens and reload the page. YahooSession::clearSession(); header("Location: sampleapp.php"); } // check for the existance of a session. // this will determine if we need to show a pop-up and fetch // the auth url, or fetch the user's social data. $hasSession = YahooSession::hasSession(CONSUMER_KEY, CONSUMER_SECRET, APP_ID); if($hasSession == FALSE) { // create the callback url, $callback = YahooUtil::current_url()."?in_popup"; // pass the credentials to get an auth url. // this URL will be used for the pop-up. $auth_url = YahooSession::createAuthorizationUrl(CONSUMER_KEY, CONSUMER_SECRET, $callback); } else { // pass the credentials to initiate a session $session = YahooSession::requireSession(CONSUMER_KEY, CONSUMER_SECRET, APP_ID); // if the in_popup flag is detected, // the pop-up has loaded the callback_url and we can close // this window. if(array_key_exists("in_popup", $_GET)) { close_popup(); exit; } // if a session is initialized, fetch the user's profile // information if($session) { // Get the currently sessioned user. $user = $session->getSessionedUser(); // Load the profile for the current user. $profile = $user->getProfile(); } } /** * Helper method to close the pop-up window via javascript. */ function close_popup() { ?> <script type="text/javascript"> window.close(); </script> <?php } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html> <head> <title>Yahoo! Social Sample Application</title>  <script type="text/javascript" src="http://yui.yahooapis.com/combo?2.7.0/build/yahoo-dom-event/yahoo-dom-event.js"></script> <script type="text/javascript" src="popupmanager.js"></script>  <link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/combo?2.7.0/build/reset-fonts-grids/reset-fonts-grids.css&2.7.0/build/base/base-min.css"> </head> <body> <?php if($hasSession == FALSE) { // if a session does not exist, output the // login / share button linked to the auth_url. echo sprintf("<a href=\"%s\" id=\"yloginLink\"><img src=\"http://l.yimg.com/a/i/ydn/social/updt-spurp.png\"></a>\n", $auth_url); } else if($hasSession && $profile) { // if a session does exist and the profile data was // fetched without error, print out a simple usercard. echo sprintf("<img src=\"%s\"/><p><h2>Hi <a href=\"%s\" target=\"_blank\">%s!</a></h2></p>\n", $profile->image->imageUrl, $profile->profileUrl, $profile->nickname); if($profile->status->message != "") { $statusDate = date('F j, y, g:i a', strtotime($profile->status->lastStatusModified)); echo sprintf("<p><strong>“</strong>%s<strong>”</strong> on %s</p>", $profile->status->message, $statusDate); } echo "<p><a href=\"?logout\">Logout</a></p>"; } ?> <script type="text/javascript"> var Event = YAHOO.util.Event; var _gel = function(el) {return document.getElementById(el)}; function handleDOMReady() { if(_gel("yloginLink")) { Event.addListener("yloginLink", "click", handleLoginClick); } } function handleLoginClick(event) { // block the url from opening like normal Event.preventDefault(event); // open pop-up using the auth_url var auth_url = _gel("yloginLink").href; PopupManager.open(auth_url,600,435); } Event.onDOMReady(handleDOMReady); </script> </body> </html>
Redirect from your Web application off-site to the Yahoo! authorization page.
With this method, you must directs Users off-site to the Yahoo authorization page as indicated in xoauth_request_auth_url. Once the User authorizes access, Yahoo! redirects Users to the URL as indicated in oauth_callback.

Note

Because the Yahoo! authorization page is meant to be shown as a pop-up window, it will appear centered and constrained within a full browser window.

Important

If your application does not have access to a browser, it must provide the User with the Yahoo! authorization page URL and Request Token, both provided in Step 2. Your application must provide directions for your User to manually browser to the URL and enter the provided Request Token.

Prev — Get a Request Token (get_request_token)

Exchange the Request Token and OAuth Verifier for an Access Token (get_token) — Next

Yahoo! Developer Network

OAuth

Get User Authorization (request_auth)

Presenting the Yahoo! Authorization Page

Note

Important

Table of Contents