0

After revoking access to an app, the contacts API still returns contact information

We've found that if a user grants permission to a Yahoo! application to read their contacts, then revokes permission via the Yahoo! "Manage apps and website connections" page, the app is still able to call the contacts endpoint and retrieve the user's current contact data.

Here's the API we're using to retrieve the contact info:

https://social.yahooapis.com/v1/user/me/contacts

Is anyone aware of an issue with Yahoo! not properly expiring access tokens once permission to an app has been revoked by the user?

by
0 Replies

Recent Posts

in OAuth General Discussion YDN SDKs