Yahoo OAuth 2.0 Guide

OAuth 2.0 is an updated version of the OAuth protocol that supercedes OAuth 1.0 and 1.0a. OAuth is an open standard for authorization that Yahoo uses to grant access to user data.

Note

OAuth 2.0 is currently supported by Yahoo Gemini and Yahoo Social APIs. If you are using YQL or other Yahoo APIs, please refer to OAuth 1 guide.

Benefits

OAuth 2.0 has some key distinctions from OAuth 1.0:
  • SSL for secure communication.
  • Signatures are no longer necessary.
  • Support for a variety of grant types and flows.

Supported Client Profiles

Yahoo supports two primary client profiles:
  • Server-side Application: This consists of an application (client) hosted on a web server. Users access the application using an HTML based user agent. Client credentials and tokens issued are stored on the web server and are inaccessible to the user.
  • Client-side Application: In this profile, the client code is downloaded from a web server and runs within a user-agent on the user’s device. Credentials and tokens are accessible to the end user.

Supported Authorization Flows

As per the OAuth 2.0 specification, authorization to access user (resource owner) data can be obtained using four grant types. Yahoo currently supports two of the four grant types:
  • Explicit Grant: Also known as a bearer token, this grant type is useful when you want the API to simply provide an access token. This grant type works well with server-side applications.
  • Implicit Grant: This grant type immediately provides an access token in the hash fragment of the redirect URI.

Migrating to OAuth 2.0 from OAuth 1.0a

If you have integrated with Yahoo using OAuth 1.0a, you do not need to re-authorize access to your app. Using the Explicit Grant flow, you can provide your original refresh token to receive a new OAuth 2.0 access token. For more information, refer to Step 5: Exchange refresh token for new access token.

Before You Begin

As with OAuth 1.0 you must first sign up and get both a Consumer Key and Consumer Secret.