Browser-Based Authentication Using C#

Yahoo! Browser-Based Authentication is a system that lets third party developers create web applications that can securely access any user's Yahoo! data through APIs while letting the end-user control what type of access they allow, if any.


This article describes how to use the Yahoo.Authentication class that simplifies using the Browser-Based Authentication system. For a detailed description of what is going on under the hood, download and have a look at the provided source code or refer to the Browser-Based Authentication pages. This article assumes you have signed up for an application ID and have a basic understanding of the authentication process.

There are three main steps to using Browser-Based Authentication:

  1. Get permission and sign in the user
  2. Verify and save token on end-point page
  3. Use authenticated web services

Signing in the User

Before you can access a user's data you must receive permission from the user. This is done by redirecting the user's browser to the user sign in page that will sign them into the Yahoo! network and ask permission for you to read, write or read and write their data. Don't forget to let the user know what is going to happen before you redirect them.

End-Point Page Processing

Once the user has approved your application, their browser will be redirected to the end-point page you specified when you signed up for an application ID. The following demostrates checking for a valid call and saving the received token in the user's Authentication object. You should also store the token in a persistent store since it is valid for two weeks.

Obtaining User Credentials

The second step, obtaining user credentials, should always be transparent to the user. The UpdateCredentials() methods will attempt to retrieve the user's credentials (WSSID and cookie) and store them internally. Note that the built-in methods will check IsCredentialed and call UpdateCredentials automatically if valid credentials weren't available. Unless you do the web service call yourself, you will not normally need to use this method.

Calling Authenticated Web Services

The built-in data retrieval methods GetAuthenticatedServiceDataSet, GetAuthenticatedServiceStream, GetAuthenticatedServiceString, GetAuthenticatedServiceXmlDocument and GetAuthenticatedServiceXPathDocument will automatically attempt to update the user's credentials if necessary. If you receive an AuthenticationException during these calls, you should check the status/error code for 401 - Unauthorized. If the error is 401, you can try to sign in the user again.

Further reading

Related information on the web.

Yahoo Forum Discussions