Premshree's (品速力) Personal Weblog

As you probably know we launched Browser-Based Authentication. What this means is that users can grant third-party web-based applications access to their Yahoo! data. (Actually, this could be used for non web-based apps too.) For a more detailed explanation, go here.

Anyway, I’ll explain how this works using the Ruby interface I just wrote and (sorta) tested:

Registering your web application: First off, you need to register your web application. After registration you’ll get your appid and shared secret.
Logging-in users:
```
obj = YBBAuth.new(appid, secret)
obj.get_auth_url('')
```
Once you get the auth URL, direct the user there. Now the user is informed that your amazing web application is asking for permissions (read, write or both) and whether he wishes to grant permission, etc. Once the user grants permission, Yahoo! will redirect the user to your application (you would’ve submitted the URL when registering for an appid).
Getting user credentials: When Yahoo! redirects the user, it adds a token parameter to the URL. You need to extract this token in order to get user credentials:
```
obj.get_access_credentials(token)
```
Making an authenticated request: Now you can make authenticated GET/POST requests:
```
obj.ws_auth_get_request('http://photos.yahooapis.com/V3.0/listAlbums')
```
The above snippet makes use of the Yahoo! Photos API.

» The Ruby wrapper

The interface isn’t complete or well-tested (I have a flight to catch in a few hours so I need to leave in a bit). I’ll work on it in a day or two.

Tags: bbauth, ruby, tech, web services, yahoo, ydn, yws

(Leave a comment)

ga_woo

2006-10-01 04:51 pm (UTC)

Will BBAuth take off now that we are at the same time trying to teach users to be very careful and on the look-out for phishers? I understand that the user just has to check the url in the browser's address bar, but doesn't it complicate things for them? What am I missing?

code_martial

2006-10-02 05:37 am (UTC)

BBAuth doesn't yield your Yahoo! ID or password to the requesting application, which is what phishing tries to accomplish.

The Yahoo! login only happens on http://login.yahoo.com/ so the sign-in seal is still available and users should look out for it. The grant of access also happens through http://login.yahoo.com/

When you're granting access to a third party application, the landing page tells you the domain name of the third party application and the Yahoo! application to which access is being requested, so you know exactly what data you're sharing.

2006-10-02 05:47 am (UTC)

Your only relevant point was the sign-in seal which I would have never noticed had

teemus not made his post about it (And I'm someone who actually looks for "new things"). And I still haven't bothered enabling it. I don't think anybody I know is using the sign-in seal. And I'm guessing almost nobody will.

2006-10-02 05:54 am (UTC)

Heh, you're the owner of your account. Do what you want (or don't want) to do with it.

(no subject) —

jamiexulis

fernandomyle

premshree

2006-10-03 10:02 pm (UTC)

From what I know, phishing is something Yahoo! is taking very seriously (the sign-in seal, etc.). Sure, it still requires that the user knows about it, but then again it’s a start. So considering that phishing is a problem that we intend to solve, BBAuth won’t make things as bad as you’d imagine.

jasonsml11

2007-06-21 09:44 am (UTC)

some people say that phishing is something that is being produced by well know companies. Bank of NY had a leack of customer database and then there was a huge wave of phishing with BNY emails. Then in few month there were lots of interviews that it were customers who revelealed their own personal data and they are toblame (not BNY offcourse ;))
Jason

astonv

2007-08-04 09:29 pm (UTC)

That is scary, phishing happens up till now.

Aston
hosting reviews .

Yahoo comes back hoho

rawy

2007-03-18 01:53 pm (UTC)

Is the return of the yahoo
BBAuth fixes that problem when it comes to accessing data locked up at Yahoo. Using the tools Yahoo provides, non-Yahoo applications can request a user to sign in to Yahoo and give permission for Yahoo user data to be sent to the non-Yahoo application. To two test applications had been created. The first shows how it can be used to allow sign in via Yahoo credentials, and the second shows how you can access Yahoo photos data outside of Yahoo.

eddd

2006-10-02 01:59 am (UTC)

As a dumb user, I don't feel comfortable with yahoo telling me that
if I click yes, xyz.com has permission to access my data for two weeks.

I'd be more comfortable with "when your browser closes" or something.

And I don't see how this is better than Google Auth anyway. Something I'm missing?

2006-10-02 05:50 am (UTC)

if I click yes, xyz.com has permission to access my data for two weeks
... provided that you don't sign out of Yahoo! Network in the mean time. If you do, the permission goes away too [will try to get the exact details] and you need to re-authenticate all over again.

And I don't see how this is better than Google Auth anyway

What's your point behind this question? If it is to suggest that Google somehow invented this kind of system, you're wrong. Yahoo! has been using a similar authentication mechanism for "partner sites" for ages. Even OpenID predates Google Auth. It's merely a question of if and when someone chooses to open up authentication to unknown third parties.

2006-10-02 07:14 am (UTC)

I was wrong about the permissions being revoked on sign-out. There are only some circumstances under which that happens and you can't rely on that behaviour.

2006-10-03 09:46 pm (UTC)

The token is valid for 14 days.

2006-10-04 05:11 am (UTC)

The 14 day token makes me squirm.

As for the google question, I was thinking of something else while I typed that, so there isn't a point I'm trying to sell. It was more like a note to self.

monikajufyt

2008-07-11 01:47 am (UTC)

Having OpenIDs is still better than accounts and I don’t see this as too confusing, because most people are aware that they have different personas on the web, and if it’s only their real personality and a fake identity.

kendricklevent

ruby books in Bangalore

(Anonymous)

2006-10-09 08:13 am (UTC)

Hi i saw your blog its nice can you please tell me that where can get books in ruby like programming or ruby cookbook etc.
i have searched in many places in bangalore like sapna book,gangaram,market but i have not found i will be very thankful to you.

winstanleyf1

Re: ruby books in Bangalore

2007-11-25 08:59 pm (UTC)

i can't login at http://login.yahoo.com/

masterkreed

2007-12-05 12:27 am (UTC)

those are great news

georgiajosh

topmax

2007-11-25 09:09 pm (UTC)

i have friends developing various applications such as shareware
hope they know ruby as well, gave them link to that topic
blog

2007-12-07 07:27 pm (UTC)

some news

Nice posts, enjoyed reading it

desmondhaynes

2007-12-23 09:05 am (UTC)

Hi there!
I read your blog posts with a lot of interest. I think you may like to visit my site software architecture site! And if you want, I would love to swap links with you (leave a comment on my blog if you would!).

-Des
My Software Architecture Blog
http://architecture.wpbloghost.net/

What Is Proactol

2008-03-07 02:04 am (UTC)

Thanks for very interesting article. btw. I really enjoyed reading all of your posts. It’s interesting to read ideas, and observations from someone else’s point of view… makes you think more.
So please keep up the great work. Greetings.

Cool quote

2008-04-30 02:05 am (UTC)

What we need in this country, instead of Daylight Savings Time, which nobody
really understands anyway, is a new concept called Weekday Morning Time,
whereby at 7 a.m. every weekday we go into a space-launch-style "hold" for
two to three hours, during which it just remains 7 a.m. This way we could
all wake up via a civilized gradual process of stretching and belching and
scratching, and it would still be only 7 a.m. when we were ready to actually
emerge from bed.
-- Dave Barry, "$#$%#^%!^%&@%@!"

----------------------------------------------------------------------------------------------------
http://irwindanielol.easyjournal.com

premshree

etc.

Yahoo comes back hoho

ruby books in Bangalore

Re: ruby books in Bangalore

Re: ruby books in Bangalore

Nice posts, enjoyed reading it

What Is Proactol

Cool quote

Advertisement

Advertisement