Yahoo! Browser-Based Authentication is a system that lets third party developers create web applications that can securely access any user's Yahoo! data through APIs while letting the end-user control what type of access they allow, if any.
This article describes how to use the
Yahoo.Authentication class that simplifies using the Browser-Based Authentication
system. For a detailed description of what is going on under the hood, download and have a look at the provided
source code or refer to the Browser-Based Authentication pages.
This article assumes you have signed up for an application ID and have a basic understanding of the authentication process.
There are three main steps to using Browser-Based Authentication:
Before you can access a user's data you must receive permission from the user. This is done by redirecting the user's browser to the user sign in page that will sign them into the Yahoo! network and ask permission for you to read, write or read and write their data. Don't forget to let the user know what is going to happen before you redirect them.
Once the user has approved your application, their browser will be redirected to the end-point page you specified when you
signed up for an application ID. The following demostrates checking for a valid call and saving the received token in the user's
Authentication object. You should also store the token in a persistent store since it is valid for two weeks.
The second step, obtaining user credentials, should always be transparent to the user. The
methods will attempt to retrieve the user's credentials (WSSID and cookie) and store them internally. Note that the built-in methods
IsCredentialed and call
UpdateCredentials automatically if valid credentials weren't available.
Unless you do the web service call yourself, you will not normally need to use this method.
The built-in data retrieval methods
GetAuthenticatedServiceXPathDocument will automatically
attempt to update the user's credentials if necessary. If you receive an
AuthenticationException during these calls,
you should check the status/error code for 401 - Unauthorized. If the error is 401, you can try to sign in the user again.
Related information on the web.