Chapter 3. Yahoo!'s OAuth Authorization Model
Yahoo! Search BOSS Geo uses OAuth as a simple and secure method for
validation and access. It's an open authorization model based primarily on
existing standards that ensures secure credentials can be provisioned and
verified by different software platforms. For detailed information on
Yahoo!'s implementation of the OAuth standard, see the documentation OAuth Authorization Model on
the Yahoo! Developer Network.
Using OAuth with BOSS Geo
OAuth allows you and visitors to your web page, to securely access
the Yahoo! Geo content. OAuth provides secure access to this content by
using your BOSS application ID and the
Yahoo! API key to verify your account,
access privileges, and allow for correct billing from Yahoo!
Authentication for BOSS Geo queries requires OAuth information in
the HTTP header OR through parameters in the GET request. There are six
elements that are required for authorization:
- oauth_version=1.0 – The standard of OAuth supported by BOSS
- oauth_timestamp= – The timestamp is expressed in the number of
seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST
be a positive integer and MUST be equal to or greater than the
timestamp used in previous requests. The timestamp can be reused for
up to 5 minutes. Important: After 5
minutes a fresh timestamp must be supplied.
- oauth_nonce – is a random string, uniquely generated for all
requests for a specific timestamp. This helps verify that a request
has never been made before and helps prevent replay attacks when
requests are made over a non-secure channel (such as HTTP).
- oauth_consumer_key= – obtained from YDN during the BOSS
project registration process. This is unique to the developer.
Please follow the directions on the displayed key page and copy the
entire key from YDN. If you do not
copy the entire key, this results in a "Consumer Key rejected" error.
- oauth_signature_method=HMAC-SHA1 – (specific algorithm used
for BOSS OAuth calls).
- oauth_signature – can be generated by an OAuth library. A list
of supported OAuth libraries is available here:
http://oauth.net/code. Over a dozen languages are supported.
Example of using OAuth in HTTP Header:
Using OAuth with GET parameters:
key="value" from the authorization header into
GET parameters as &key=value in line with the other API