PDA

View Full Version : Yahoo! and OAuth 1.0a



Mike Peat
16-Aug-2015, 12:32 PM
In the wise words of Sheldon Cooper: "Bazinga!"

I have, after far too long banging my head against a series of brick walls, just managed to get the OAuth2 component to connect to the Yahoo! REST API (OK, I got one API call to give me back a bunch of XML telling me not very much, but it is a start! :)):



GET https://social.yahooapis.com/v1/user/745KCX5MZAWG2PVDZSZERUG3ZM/profile/usercard

returns:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<profile xmlns="http://social.yahooapis.com/v1/profile/social.profile" xmlns:ns2="http://www.yahooapis.com/v1/base.rng" ns2:uri="https://social.yahooapis.com/v1/user/745KCX5MZAWG2PVDZSZERUG3ZM/profile/usercard" cache="true">
<guid>745KCX5MZAWG2PVDZSZERUG3ZM</guid>
<created>2015-08-16T16:48:19Z</created>
<image>
<height>48</height>
<imageUrl>https://s.yimg.com/dh/ap/social/profile/profile_b48.png</imageUrl>
<size>48x48</size>
<width>48</width>
</image>
<memberSince>2014-10-14T10:38:37Z</memberSince>
<nickname>Mike</nickname>
<notStored>true</notStored>
<profileUrl>http://profile.yahoo.com/745KCX5MZAWG2PVDZSZERUG3ZM</profileUrl>
<bdRestricted>true</bdRestricted>
</profile>


This is important because Yahoo! uses OAuth 1.0a, rather than OAuth 2.0.

OAuth 1.0a (the "a" referring to a fix for a security hole identified after 1.0 was first published) is a significantly more prescriptive standard than OAuth 2.0 (which is a good thing: less scope for variation among implementations... or so I hope). It is also quite a bit more complicated in terms of implementation (at least from my experience so far).

Why should we care about OAuth 1.0a? Because a number of significant providers are using that rather than OAuth 2.0, including Yahoo! (obviously), Twitter and Xero Accounts (and probably many others I have not yet found out about).

I will keep you posted as I make progress, but I got so excited I had to tell somebody who might understand. (Does this sound like "My wife doesn't understand me"? - If so there is a reason for that! :))

So... a question. Currently I have this capability in an updated version of the cOAuth 2.0 class, where it might be argued it does not really belong (the clue being in the name), controlled by a wpbUseOAuth10a property. Do you think I should:



Just leave it in there
Leave it in there, but rename the component to just "cOAuth" (no "2")
Split it out into a separate component called cOAuth10a (or similar)
Some other approach...


Mike

Stephen W. Meeley
16-Aug-2015, 12:48 PM
Mike,

I'd vote (if I even have one :cool:) for option 2. But I'm also assuming that there is a reasonably sized "common base" between 1.0a and 2.0 when I say that. Then the documenting (and to some extent the testing) of the base is once and done and you can focus on a property to control the revision specific stuff.

Also, it just seems more "clean".

Mike Peat
16-Aug-2015, 01:38 PM
Stephen

I principal, I think I agree with you, but in practice... well the OAuth2 stuff contains a shed-load of properties related to "what does this provider call that thing" (a result of the lack of prescriptiveness in the OAuth 2.0 spec), which I suspect may be absent from OAuth 1.0a implementations, so cause a degree of overhead which may not be needed for OAuth1. The JavaScript aspect however is relatively unchanged by the addition of OAuth 1.0a, so right now I am conceptually leaning in the direction of an OAuth super-class with OAuth2 and OAuth1 sub-classes (all having the same JavaScript representation), but I think I need to try out some other OAuth 1.0a implementations before I choose which way to go. For now it is all in one class, which can easily be renamed without too much pain.

As a side-note, I find that Yahoo! actually support OAuth 2.0 in some of their APIs (including, annoyingly, the one I was actually working with), while others still use OAuth 1.0a - I suspect they are gradually transitioning to OAuth 2.0, but they don't explicitly say that anywhere I have seen, while this leads their documentation to be rather confusing.

Mike

chuckatkinson
17-Aug-2015, 05:24 AM
I like your idea of a base-class and then sub-classes for the versions. And who knows this might be an advantage when Oauth3.0 comes out :D

Focus
17-Aug-2015, 06:54 AM
It also keeps the properties panel tidy when including the class as yiu dont get masses of non useful properties for a given instance