Browser Based Authentication Using C# - Yahoo! Developer Network

Overview

This article describes how to use the Yahoo.Authentication class that simplifies using the Browser-Based Authentication system. For a detailed description of what is going on under the hood, download and have a look at the provided source code or refer to the Browser-Based Authentication pages. This article assumes you have signed up for an application ID and have a basic understanding of the authentication process.

There are three main steps to using Browser-Based Authentication:

Get permission and sign in the user
Verify and save token on end-point page
Use authenticated web services

Signing in the User

Before you can access a user's data you must receive permission from the user. This is done by redirecting the user's browser to the user sign in page that will sign them into the Yahoo! network and ask permission for you to read, write or read and write their data. Don't forget to let the user know what is going to happen before you redirect them.

// Create an instance of Yahoo.Authentication Yahoo.Authentication auth = new Authentication("myappid", "mysharedsecret"); // Redirect the user to the use sign-in page Response.Redirect(auth.GetUserLogOnAddress().ToString());

End-Point Page Processing

Once the user has approved your application, their browser will be redirected to the end-point page you specified when you signed up for an application ID. The following demostrates checking for a valid call and saving the received token in the user's Authentication object. You should also store the token in a persistent store since it is valid for two weeks.

private void Page_Load(object sender, System.EventArgs e) { bool success = false; // Retrieve this user's authentication object we've stored in the session state Yahoo.Authentication auth = Session["Auth"] as Yahoo.Authentication; if (auth == null) { // We have a problem with the current session, abandon and retry Session.Abandon(); Response.Redirect("ErrorPage.aspx"); } // Check if we are returning from login if (Request.QueryString["token"] != null && Request.QueryString["token"].Length > 0) { // Make sure the call is valid if (auth.IsValidSignedUrl(Request.Url) == true) { success = true; // Save the user token. It is valid for two weeks auth.Token = Request.QueryString["token"]; } } // Redirect if we succeeded if (success == true) { Response.Redirect("Default.aspx"); } else { Response.Redirect("SignInError.aspx"); } }

Obtaining User Credentials

The second step, obtaining user credentials, should always be transparent to the user. The UpdateCredentials() methods will attempt to retrieve the user's credentials (WSSID and cookie) and store them internally. Note that the built-in methods will check IsCredentialed and call UpdateCredentials automatically if valid credentials weren't available. Unless you do the web service call yourself, you will not normally need to use this method.

// Create an instance of Yahoo.Authentication Yahoo.Authentication auth = new Authentication("myappid", "mysharedsecret"); // You must set the token before calling UpdateCredentials auth.Token = "storedusertoken"; // Attempt to get user credentials auth.UpdateCredentials();

Calling Authenticated Web Services

The built-in data retrieval methods GetAuthenticatedServiceDataSet, GetAuthenticatedServiceStream, GetAuthenticatedServiceString, GetAuthenticatedServiceXmlDocument and GetAuthenticatedServiceXPathDocument will automatically attempt to update the user's credentials if necessary. If you receive an AuthenticationException during these calls, you should check the status/error code for 401 - Unauthorized. If the error is 401, you can try to sign in the user again.

// Retrieve this user's authentication object we've stored in the session state Yahoo.Authentication auth = Session["Auth"] as Yahoo.Authentication; if (auth != null) { // Call web service and output result into a DIV tag Div1.InnerHtml = auth.GetAuthenticatedServiceString( new System.Uri("http://photos.yahooapis.com/V1.0/listServices")); }