0

YAP on .Net

Hi guys,

I am trying to create an Yahoo Open Application on .Net framework. I have looked over the OAuth.net library and tried to make sense out of the PHP SDK. I am still struggling with how the authentication will work for an Open Application. I was able to set up a page that output all the request , session parameter and header information. How do I use this information to tell for sure that the user is authenticated?

Regards,
Anil

by
9 Replies
  • Hi guys,

    Some more information regarding what my end goal is. My app doesn't require any private user information so I don't need access to any API. What I am looking for is a way to differentiate between someone trying to access our application which is hosted on the url like http://www.betaservername.com vs http://apps.yahoo.com/-yahooappid

    I can check for request variables like

    yap_consumer_key,
    yap_viewer_access_token,
    yap_viewer_access_token_secret,
    yap_viewer_guid,
    yap_owner_guid,
    yap_appid,
    yap_time,
    oauth_signature_method,
    oauth_signature,

    which exist only from request coming for http://apps.yahoo.com/-yahooappid but that doesn't mean that someone else can't
    just generate these parameters and make a request to get through my test

    Is there a way for me to verify the oauth_signature or any other piece of information pass to me?

    Regards,
    Anil
    0
  • Hi Anil,

    OAuth uses encryption to verify the provider and the consumer are who they say they are. This means that all the passed parameters are signed. You can use this to validate that the session came from a Yahoo! Application.

    Hope that helps.

    Tom
    Yahoo! Developer Network
    0
  • Hi Tom,

    Thanks for the clarification. So do I validate the oauth_signature parameter passed into the request? and if so is there a method in Oauth.Net lib that will allow me to do that? if not how do I validate the signature?

    Anil

    QUOTE (sh1mmer @ Jan 26 2009, 12:20 PM) <{POST_SNAPBACK}>
    Hi Anil,

    OAuth uses encryption to verify the provider and the consumer are who they say they are. This means that all the passed parameters are signed. You can use this to validate that the session came from a Yahoo! Application.

    Hope that helps.

    Tom
    Yahoo! Developer Network
    0
  • The response would not be considered "valid" if the OAuth signature didn't match. As such any responses you receive from the OAuth library should be valid. Otherwise the library should throw a signature error.

    If you have specific code I'd be happy to look and see if I can help.

    Tom
    0
  • Hi Tom,

    Thanks for the reply.

    As you mentioned I am trying to validate the signature that i am getting as part of the post parameter of the incoming request from yahoo. I using the Oauth lib from http://code.google.com/p/devdefined-tools/wiki/OAuth to do the validation. For some reason it never validates the signature.

    OAuthContext context = new OAuthContext
    {
    ConsumerKey = Request["yap_consumer_key"],
    Signature = Request["oauth_signature"],
    Token = Request["yap_viewer_access_token"],
    TokenSecret = Request["yap_viewer_access_token_secret"],
    RawUri = CleanUri(Request.Url),
    Cookies = CollectCookies(Request),
    Headers = Request.Headers,
    RequestMethod = Request.HttpMethod,
    SignatureMethod = "HMAC-SHA1"
    };

    OAuthContextSigner signer = new OAuthContextSigner();
    SigningContext signingContext = new SigningContext();
    signingContext.ConsumerSecret = "<secret i got from yahoo>";

    if (!signer.ValidateSignature(context,signingContext)){
    return false;
    }else{
    return true;
    }

    I have also noticed that I don't get all the oauth parameters as outlined in the actual spec and that some of these parameter prefixes have been changed from oauth_ to yap_ . I have already made some changes to the library to reflect this. I noticed that I don't received the oauth_version and oauth_nonce parameter in the post request made from yahoo to my application.

    I am kind of pulling my hair at this point. Would really appreciate any help i can get

    Regards,
    Anil
    0
  • QUOTE (AnilA @ Feb 5 2009, 06:01 PM) <{POST_SNAPBACK}>
    OAuthContext context = new OAuthContext
    {
    ConsumerKey = Request["yap_consumer_key"],
    Signature = Request["oauth_signature"],
    Token = Request["yap_viewer_access_token"],
    TokenSecret = Request["yap_viewer_access_token_secret"],
    RawUri = CleanUri(Request.Url),
    Cookies = CollectCookies(Request),
    Headers = Request.Headers,
    RequestMethod = Request.HttpMethod,
    SignatureMethod = "HMAC-SHA1"
    };

    OAuthContextSigner signer = new OAuthContextSigner();
    SigningContext signingContext = new SigningContext();
    signingContext.ConsumerSecret = "<secret i got from yahoo>";

    if (!signer.ValidateSignature(context,signingContext)){
    return false;
    }else{
    return true;
    }


    The call being made to your application is signed two-legged, meaning it's only been signed with the consumer key and secret. The access token and access token secret aren't used for the signature generation. Try leaving the access token bits out of the creation of the OAuthContext.
    0
  • Hey Ryan,

    I do receive yap_viewer_access_token and yap_viewer_access_token_secret parameters passed down to our server from yahoo. From what i can remember that these two parameter are required to generate the basesignature. The oauth library that i am using requires both of these parameter. It throws an exception when i don't pass these as it is not able to generate the basesignature.

    Anil
    0
  • Hey Ryan,

    Following is original signature , the base signature and the generated signature that my application is producing

    original : UddFcbAuY2zjEkKBcM+eb+Zl3KQ=

    base: POST&http%3A%2F%2F<hostname>%3A8181%2F&oauth_consumer_key%3D<consumerkey>%26oauth_signature_method%3DHMACSHA1%26view_name%3DYahooFullView

    generated : Gn/TRamhgbzLN4P8HwyMY2Hyz4M=

    Can you tell me if the base signature is getting generated properly?

    Anil
    0
  • Hey Anil,

    I'm trying to find someone with some .net experience to help me out with this. In the meantime could you post the request/response headers and body for a request.
    0

Recent Posts

in YAP