Yahoo OAuth2 Implicit Grant flow not working for new yahoo app

Asked 4/12, 2018 at 9:40 Answered 14/11, 2022 at 21:29

I have existing web app and dedicated Yahoo App working. It uses OAuth2 Implicit Grant Flow

Now I want to set up another domain working by same principle. I have created new Yahoo App with new callback domain

Url used to get user consent (in both cases) is https://api.login.yahoo.com/oauth2/request_auth?client_id=consumer_key&redirect_uri=https://redir_url&response_type=token

It is working for old domain and old Yahoo App (Consumer key ends in --) But it doesn't want to work with new domain and new Yahoo app (Consumer Key does NOT end in -- for some reason).

I get this message after vising user consent link:

Developers: Please choose response types from code, token or id_token and submit again.

although I provided valid response_token. Do you know the reason why it's not working for new domain and new Yahoo app?

code:

var authorizationUrl = 'https://api.login.yahoo.com/oauth2/request_auth'
            + '?client_id=' + encodeURIComponent(consumerKey)
            + '&redirect_uri=' + encodeURIComponent(redirectUri)
            + '&response_type=token';

window.open(authorizationUrl, '_blank', 'location=yes,height=570,width=650,scrollbars=yes,status=yes');

Dispersion answered 4/12, 2018 at 9:40 Comment(4)

Could you share a sample of your code in both instances? – Backwoodsman 9/12, 2018 at 19:44

Did you find any solution? I am facing the same problem now, looks like Yahoo! made some undocumented changes in the OAuth implementation. – Gilbertina 10/12, 2018 at 8:10

@Backwoodsman the source code is same, just different client_id. Code added – Dispersion 13/12, 2018 at 13:47

@VishnuHaridas not yet – Dispersion 17/12, 2018 at 11:27

Looks like the API is asking for the literal word "id_token" (or "code" or "token") as the response_type parameter. You didn't post your code, but it sounds like you're actually putting in a response_token id value for that parameter.

Looking at the Yahoo API documentation, here is a sample URL which is similar to yours:

https://api.login.yahoo.com/oauth2/request_auth?client_id=dj0yJmk9WGx0QlE0UWdCa0hKJmQ9WVdrOWNrNUhXVnBhTkhFbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD01OA--&response_type=id_token&redirect_uri=https://yahoo.com&scope=openid%20mail-r&nonce=YihsFwGKgt3KJUh6tPs2

You can see they wrote: &response_type=id_token, rather than &response_type=934984kklsdkjklfs or similar.

In general, OAuth API calls usually send back an access token or response token which is valid for your API session and eventually expires. This parameter is describing what type of token you want the API to return.

I can't talk to what might have changed between the 2 versions of your app, but I recommend that you check out the versioning and What's New section of Yahoo's API documentation.

Badlands answered 10/12, 2018 at 1:5 Comment(1)

1. I have same version of my app just different keys for different environments 2. I use correct response_type=token 3. I need response_type=token not response_type=id_token. I use different workflow developer.yahoo.com/oauth2/guide/flows_implicitgrant. But I tested the one you mentioned, it also don't work with new key – Dispersion 13/12, 2018 at 13:38

You can provide 2 different values to the response_type parameter.

In the case of response_type=token - after redirection your redirect url should be appended the access token, like so:

http://myurl/?access_token=XXXYYY

However - this is deemed less secure than going the other way, since in this one you'd have the access token exposed. (As an example, browser plugins might have access to the URL - which they can take advantage of this then)

In the case of response_type=code - your redirect url should be appended a code, like so:

https://myurl/?code=XXXYYY

You would then retrieve that code from your server side, and send it to the OAuth2 provider (Yahoo in this case) with your client_id and client_secret, in exchange for an access_token. This is more secure, since only your server side now has access to the access_token and not any other mechanism. Conventionally it would be a post request to some yahoo endpoint like this:

http.post(
  url: 'someyahoourl', /* probably something like https://api.login.yahoo.com/oauth2/request_auth */
  data:
  {
     client_secret: yourclientsecret,
     client_id: yourclientid, /* Judging by the url it's dj0yJmk9WGx0QlE0UWdCa0hKJmQ9WVdrOWNrNUhXVnBhTkhFbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD01OA-- */
     code: thecodefromurl,
     grant_type: 'authorization_code',
     redirect_uri: the redirect uri that you've retrieved the code from
  }

And then your server would get the access_token in response to this request.

Fluorosis answered 13/12, 2018 at 11:56 Comment(1)

1. I use this workflow developer.yahoo.com/oauth2/guide/flows_implicitgrant so I need response_type=tiken 2. Redirection doesn't happen. At point I should get redirection, instead user is shown message Developers: Please choose response types from code, token or id_token and submit again. – Dispersion 13/12, 2018 at 13:42

It appears that they no longer support this flow:

Due to a number of security vulnerabilities in the OAuth2 Implicit flow, support for this flow has been deprecated. Please use the OAuth2 Authorization Code flow as described here.

Going through the docs, it appears they support only authorization code flows:

As per the OAuth 2.0 specification, authorization to access user (resource owner) data can be obtained using four grant types. Yahoo currently supports one of the four grant types:

Authorization Code Grant: This grant type is used to obtain access tokens which can be used to authorize access to Yahoo APIs.

which might not be ideal for client-side applications:

You should use this flow when you have a server-side (Web) application.

Maisey answered 14/11, 2022 at 21:29 Comment(0)

Recommended topics

Hot tags