You build great web applications. We have millions of users who store their data on Yahoo!. Browser-Based Authentication (BBAuth) makes it possible for your applications to use that data (with their permission).
BBAuth also offers a Single Sign-On (SSO) facility so that existing Yahoo! users can use your services without having to complete yet another registration process.
The first time a user visits your web site, you redirect them to a specially constructed Yahoo! URL where they can login and grant your application permission.
The image below illustrates the process.
To use BBAuth, you'll need to do the following:
First you need to register your application with Yahoo!. The process requires that you describe what your application does, provide contact information, set your application's endpoint URL, and select the Yahoo! services to which your application needs access. Some services may divide their API calls into subsets, or scopes. For example, a service might group its read-only methods into a single scope.
When you complete registration, Yahoo! provides you with an application ID and shared secret for making authenticated service calls.
Your application cannot access a user's personal data until the user grants your application limited access to their data. To do this you must direct your users to a specialized Yahoo! login page. Once the user enters their Yahoo! user ID and password, Yahoo! displays a Terms of Service page and lists the data which your application may access. If the user grants your application access, Yahoo! redirects the user to your site. The redirect URL contains a token that you use to retrieve the user's credentials.
Now that you have the user's
token, you can use
it to retrieve an auth cookie and a WSSID,
which together represent the user's credentials. The user's credentials last for one hour, and you must supply them for each authenticated web service call.
Registering Your Application explains how to acquire an application ID and shared secret for your application.
Browser-Based Authentication and related topics are discussed on the ydn-auth mailing list. If you have questions or need technical support, please use this group.
If you need your application key deactivated (for example, if you feel it has been compromised), then see the Yahoo! Developer Help page for information on how to contact Yahoo! Customer Care.