developer

Authorization Code Flow for Server-side Apps

You should use this flow when you have a server-side (Web) application.

Authorization Code Flow for Server-side Apps

Step 1: Sign in and get credentials

First, get a Consumer Key and Consumer Secret by signing in at developer.yahoo.com and creating a project. You will use these credentials for later calls in the OAuth 2.0 flow.

To create an app project, Yahoo needs information about your application including:

  • name

  • type

  • home page URL

  • scopes (permissions for specific services)

  • application domain

Step 2: Get an authorization URL and authorize access

Use the Consumer Key we provide as the client_id to request a redirect URL. Also include the redirect_url so that Yahoo knows where to redirect users after they authorize access to their data.

URL: https://api.login.yahoo.com/oauth2/request_auth

Method: GET, POST

Table 1 Request Authorization URL (/request_auth) Call Request

Request Parameters

Description

client_id

Consumer Key provided to you when you signed up.

redirect_uri

Yahoo redirects Users to this URL after they authorize access to their private data. If the user should not be redirected to your server, you should specify the callback as oob (out of band).

response_type

Must constraint the string code.

state

Optional. Your client can insert state information that will be appended to the redirect_uri upon success user authorization.

language

Optional. Language identifier. Default value is en-us.

Sample URL

https://api.login.yahoo.com/oauth2/request_auth?client_id=dj0yJmk9ak5IZ2x5WmNsaHp6JmQ9WVdrOVNqQkJUMnRYTjJrbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD1hYQ--&redirect_uri=oob&response_type=code&language=en-us

Note

In the authorization code flow, you will only need to reauthorize access from the user in the future if the user revokes access through Yahoo account settings.

Step 3: User redirected for access authorization

A successful response to request_auth initiates a 302 redirect to Yahoo where the user can authorize access.

Step 4: Exchange authorization code for access token

Once the user authorizes access, the user is redirected back to the redirect_uri you originally specified. A authorization code is appended to the redirect_uri, shown below as code=abcdef:

https://www.example.com/callback?code=abcdef&state=XYZ

Your client needs to extract the authorization code and exchange it for an access token using a call to the /get_token endpoint. The response also contains the refresh token, which persists even when the user changes passwords. The authorization server may issue a new refresh token, in which case the client must discard the old refresh token and replace it with the new refresh token. The authorization server will revoke the old refresh token after issuing a new refresh token to the client. The refresh token can also be invalidated if the user revokes access through Yahoo account settings.

URL: https://api.login.yahoo.com/oauth2/get_token

Method: POST

Table 2 Get Access Token (/get_token) Request Parameters

Request Parameters

Description

client_id

Consumer Key provided to you when you signed up.

client_secret

The Consumer Secret provided to you when you signed up.

redirect_uri

Yahoo redirects Users to this URL after they authorize access to their private data. If your application does not have access to a browser, you must specify the callback as oob (out of band).

code

Authorization code appended to redirect_uri in previous call.

grant_type

Must contain the string authorization_code grant type.

Sample Request Header

Authorization: Basic ZGoweUptazlhazVJWjJ4NVdtTnNhSHA2Sm1ROVdWZHJPVk5xUWtKVU1uUllUakpyYldOSGJ6bE5RUzB0Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtZUQxaFlRLS06NmYzYjI5NjllYzUwOTkxNDM4MDdiNDU4ZTU5MTc5MzFmYmEzMWUwOA==
Content-Type: application/x-www-form-urlencoded

Note

The Authorization: Basic authorization header is generated through a Base64 encoding of client_id:client_secret per RFC 2617. You can use https://www.base64encode.org/ to see how headers should be encoded.

Sample Request Body

grant_type=authorization_code&redirect_uri=https%3A%2F%2Fwww.example.com&code=abcdef

Sample Response

{
   "access_token":"Jzxbkqqcvjqik2IMxGFEE1cuaos--",
   "token_type":"bearer",
   "expires_in":3600,
   "refresh_token":"AOiRUlJn_qOmByVGTmUpwcMKW3XDcipToOoHx2wRoyLgJC_RFlA-",
   "xoauth_yahoo_guid":"JT4FACLQZI2OCE"
}
Table 3 /get_token call response

Request Parameters

Description

access_token

The access token that you can use to make calls for Yahoo user data. The access token has a 1-hour lifetime.

token_type

The access token that you can use to make calls for Yahoo user data.

expires_in

The access token lifetime in seconds.

refresh_token

The refresh token that you can use to acquire a new access token after the current one expires.

xoauth_yahoo_guid

The GUID of the Yahoo user. (This claim is deprecated. If you need the user’s GUID value, please use the OpenID Connect flows. The GUID will be provided in the id_token.)

Important

You should store the refresh token for future use. You will need to provide the refresh token to get a new access token when it expires.

Step 5: Exchange refresh token for new access token

After the access token expires, you can use the refresh token, which has a long lifetime, to get a new access token.

URL: https://api.login.yahoo.com/oauth2/get_token

Method: POST

Table 4 Get Access Token (/get_token) Request Parameters

Request Parameters

Description

client_id

Consumer Key provided to you when you signed up.

client_secret

The Consumer Secret provided to you when you signed up.

redirect_uri

Yahoo redirects Users to this URL after they authorize access to their private data. If your application does not have access to a browser, you must specify the callback as oob (out of band).

refresh_token

The refresh token that you originally received along with the an access token.

grant_type

Must contain the refresh_token grant type.

Sample Request Header

Authorization: Basic ZGoweUptazlhazVJWjJ4NVdtTnNhSHA2Sm1ROVdWZHJPVk5xUWtKVU1uUllUakpyYldOSGJ6bE5RUzB0Sm5NOVkyOXVjM1Z0WlhKelpXTnlaWFFtZUQxaFlRLS06NmYzYjI5NjllYzUwOTkxNDM4MDdiNDU4ZTU5MTc5MzFmYmEzMWUwOA==
Content-Type: application/x-www-form-urlencoded

Sample Request Body

grant_type=refresh_token&redirect_uri=https%3A%2F%2Fwww.example.com&refresh_token=a_qOmByVGTm

Sample Response

{
   "access_token":"Jzxbkqqcvjqik2IMxGFEE1cuaos--",
   "token_type":"bearer",
   "expires_in":3600,
   "refresh_token":"AOiRUlJn_qOmByVGTmUpwcMKW3XDcipToOoHx2wRoyLgJC_RFlA-",
   "xoauth_yahoo_guid":"JT4FACLQZI2OCE"
}
Table 5 /get_token call response

Request Parameters

Description

access_token

The access token that you can use to make calls for Yahoo user data. The access token has a 1-hour lifetime.

token_type

The access token that you can use to make calls for Yahoo user data.

expires_in

The access token lifetime in seconds.

refresh_token

The refresh token that you can use to acquire a new access token after the current one expires.

xoauth_yahoo_guid

The GUID of the Yahoo user. (This claim is deprecated. If you need the user’s GUID value, please use the OpenID Connect flows. The GUID will be provided in the id_token.)