OAuth two-legged documentation omission?

The Private Data v. Public Data section says the following:

The key difference in two-legged OAuth is that you don't need a Request Token or an Access Token, and so you skip Steps 2-5 in the OAuth Authorization Flow.

But if you look at the OAuth Authorization Flow, this means that you only perform Step 1, which is "Sign Up and Get a Consumer Key".

So how then does one actually use a Consumer Key and Secret when doing two-legged OAuth? Since you don't do Steps 2-5, what steps do you do?

I want to use YQL from Python using two-legged OAuth. Any complete examples someone could supply would be appreciated.

(In the meantime I'm looking at the OAuth Spec, http://oauth.googlecode.com/svn/code/python/, and the java code mentioned in the unable to pass authentication thread. My head's already starting to hurt.)

3 Replies
  • Tom, I have the save exact questions. Did you ever get an answre to this...?

  • This doc is a draft of the 2-legged OAuth 1.0 process... http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html

    Here is a signature generator that you can use to verify your generated strings and sigs... http://oauth.googlecode.com/svn/code/javascript/example/signature.html

    Yahoo doesn't need the oauth_token parm at all so you can leave it out.

    Otherwise, it's pretty much exact as RFC-5849 says it should be.

    This URL is ready to send, except for the OAuth parms. You'd pass the URL to the OAuth code (either complete or broken down into its parts...depending on the library)... http://query.yahooapis.com/v1/yql?q=select%20*%20from%20geo.placefinder%20where%20text%3D%2210%20prospect%20brooklyn%20ny%22%20and%20flags%3D%22GT%22%20and%20gflags%3D%22AC%22

    Here's the URL as it gets sent to Yahoo with the OAuth parms (with my consumer key replaced with "abcde...")... http://query.yahooapis.com/v1/yql?oauth_consumer_key=abcdefghijklmnopqrstuvwxyz&oauth_nonce=IQSUNZgszU&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1359720910&oauth_version=1.0&q=select%20%2A%20from%20geo.placefinder%20where%20text%3D%2210%20prospect%20brooklyn%20ny%22%20and%20flags%3D%22GT%22%20and%20gflags%3D%22AC%22&oauth_signature=cFBy8APwVdzt3nMVpuXypnMP1Zw%3D

    You should get back the requested resource.

    I found the signature generator to be very useful. That will show you your mistakes in producing the base string and signature.

  • I found this post very helpful. However, I kept hitting a problem. No matter what I tried I kept getting an error OST_OAUTH_SIGNATURE_INVALID_ERROR.

    Then in dawned on me the Yahoo YQL docs say that the two-legged authentication is meant for Public data not private data.

    [https://developer.yahoo.com/oauth/guide/oauth-private_public_data.html](public v private)

    "When creating applications that only use public data, you do not need authorization from the end User. These types of applications are called two-legged in OAuth terminology because the authorization occurs between two parties: an application (the Consumer) and the public data source (the Service Provider).... Most Web services offering public data require two-legged authorization..."

    The URL base for public data access is NOT what is used in the above example. The example is using the private data URL base: > http://query.yahooapis.com/v1/yql?

    As soon as I switched my URL base to the public data URL base it all worked fine. Public data URL base is: > https://query.yahooapis.com/v1/public/yql?

    I used the sushi example in the docs for my public data test URL and went from there.

    The whole process was as follows:

    ABCD replaces my real Consumer Secret and PQRST replaces my real Consumer Key. I have done the following in PLAINTEXT so you can see what is going on.

    I sent this:


    Note: oauth_signature is your Consumer Secret followed by %26. If you Consumer Secret was ABCD your oauth_signature would become: ABCD%26

    I got back a string like this:


    I extracted the oauth_token_secret and the oauth_token( tho some say you dont need oauth_token). I don't need the xoauth_request_auth_url. (I think that is what I would need to pass to the user if it was for a three-legged authentication).

    The oauth_signature is now : your Consumer Secret with a %26 and the value of oauth_token_secret. If your Consumer Secret was ABCD and the oauth_token_secret sent back from yahoo was ZYXABC your oauth_signature would now be: ABCD%26ZYXABC

    I then sent this:


    I got back the results! At last!

    Tip: a lot of the examples on Yahoo do not seem to work unless you have set your access Permissions. If trying out, say, a Fantasy Football example you would need to make sure you have set the permissions to allow your Consumer Key to be used to access that. This is done at the section on the bottom of the page when creating a project. In the section "Select APIs for private user data access": check the relevant boxes for the examples you are trying out (or maybe just select all for now). In fact some forum posts say you should check at least one box for authentication to work at all.

    To create a Project, be logged in to Yahoo. Go here https://developer.yahoo.com/ Hover over you name over at the right of the menu bar. You will see an option "My Projects", that is the one you need to set up your Consumer Key and Consumer Secret.

    Hope this help somebody.

    William "Forgiveness is an act of Power."


Recent Posts

in OAuth General Discussion YDN SDKs