Question about user authentication

[kterusaki]

What is the client token and client secret? This is separate from the application token and application secret provided by Yahoo when you make a custom app, correct?

is the Y!CLIENT_TOKEN AND Y!CLIENT_SECRET, the access token and refresh token respectively?

yf.setUserToken(
  Y!CLIENT_TOKEN,
  Y!CLIENT_SECRET
);

I'm not using passport. Unfortunately, I couldn't get that to work so I'm building out custom OAuth 2.0 with Yahoo

[whatadewitt]

You're correct. Some calls will require user level authentication rather than application level. The most obvious example of this is when you're trying to get data for a particular user, or you're trying to access data from a league that is not public.

If you have any sort of OAuth set up, you should have access to the client token and secret when you authenticate against Yahoo!

That said, you're going to need to also create a function to refresh the token, as the client level tokens will only last for about an hour before requiring a refresh.

I am actually hoping to build this whole thing into my library, or create a companion library as my passport solution is not great and doesn't do this, so if you have pushed your stuff up to Github I'd love to check it out! That said, have you tried using my Yahoo! Passport strategy which I also have on Github? Helps with the user auth at the very least...

[kterusaki]

That'd be awesome if your library handled oauth as well. I'm still in the process of building it out, so I'll post when finished and maybe you can incorporate it in.

I tried using your custom passport strategy, but couldn't get it to work, so I decided to follow the Yahoo OAuth 2.0 docs to gain access tokens. Maybe if you can explain how it works, I can try it out again (Should I post questions about your passport strategy here or on that repository?).

[whatadewitt]

If you check out the sandbox project, it should give you an idea on how to use that strategy.

Let me know if there are any hiccups!

[kterusaki]

I just realized you're using OAuth 1.0. Are you planning on upgrading to OAuth 2.0?

[whatadewitt]

I don't believe that it would work with the fantasy api, per their docs

https://developer.yahoo.com/oauth2/guide/

[kterusaki]

Nope OAuth 2.0 works with the fantasy api too. I just checked by gaining an access token via OAuth 2.0 and hitting 'https://fantasysports.yahooapis.com/fantasy/v2/users;use_login=1/games'. I specified the access token like so:

'Authorization: Bearer: {access_token}'

[whatadewitt]

Well their docs lie :P

I'll take a look, I might have some time this coming weekend, but I don't know for sure. In the meantime can you not log in with 2.0 and still use the API?

[kterusaki]

I've actually changed your code to support OAuth 2.0. How should a user choose between OAuth 1.0 vs. 2.0 or do you want your library to migrate to 2.0 completely? I'll test all methods and then I can submit a pull request.

[whatadewitt]

Please do! (I'm good with the complete change...)

[withsmilo]

Are you working to converse from OAuth 1.0 to OAuth 2.0 now? I think express and express-session modules are needed to support auth callback webpage. If you not worked, I will try it. (I have success to test OAuth 2.0 for some methods)

[whatadewitt]

I am planning to do this, but I want to move the authentication into the library itself. I already have the refresh token being generated, so it's probably a good idea to move that all into one spot and allow people to pass in user keys/secrets if they want to use a different login.

[withsmilo]

@whatadewitt Do you mean that external application(or external library) must handle the authentication process? If so, your module(YahooFantasy) needs to handle only an access token given by OAuth 2.0, and external app(or external lib) has the responsibility to handle the refresh token.

[withsmilo]

@whatadewitt I worked something. :smile:

• branch : githubsmilo / remove_auth_process_for_oauth2.0
• commit : Remove the authentication process for OAuth 2.0

I implemented external OAuth 2.0 application and tested below APIs and had success. I will try other APIs later.

• yf.team.standings
• yf.team.meta
• yf.players.fetch
• yf.transaction.meta
• yf.user.games

[withsmilo]

@whatadewitt I uploaded my OAuth 2.0 test application to my remove_auth_process_for_oauth2.0 branch.

• commit : Implement test app for OAuth 2.0 + YahooFantasy

README.md is here.

[whatadewitt]

I haven't looked through this fully, but I certainly don't want to bloat the API with a server/HTML/CSS etc. I have the sandbox which runs here http://yfantasysandbox.herokuapp.com/ which I use for testing the API and it's calls/responses.

The code for this can be found here: https://github.com/whatadewitt/yahoofantasysandbox

[withsmilo]

@whatadewitt I understand. I will seperate my test application to a new repository.

[withsmilo]

@whatadewitt What is your plan to apply OAuth 2.0 ? I think that the authentication process must be seperated from yfsapi. So I made a pull request to implement it. Please do code review.

[derrickpelletier]

Checking in to see if there's any progress on this. Would love to see the move to OAuth 2.0—or the removal of Oauth.

I noticed one of your bigger concerns is the inability to access the public api with 2.0. Have you considered supporting both 1.0 and 2.0?

Maybe specifying during creation?

new YahooFantasy.OAuth2(
 config.get('apis:yahoo:clientId'),
  config.get('apis:yahoo:clientSecret')
);

Or something to that effect anyway. For all intents and purposes, that could just be a flag on the client that utilizes 2.0 compliant headers, https, and perhaps just disables the public api methods? I'm open to helping out with that effort if there's a plan in place.

[whatadewitt]

... well I posted this https://developer.yahoo.com/forums/#/discussion/7979/fantasy-sports-api-oauth2 on April 23rd and never got a response, less than a month later my wife had our second child, so between the job and the new baby, time has been pretty limited. I've been trying to keepi my eye on things, and this looks promising https://developer.yahoo.com/oauth2/guide/yahoo_scopes/ as Fantasy Sports has read and write.

It's a long weekend, and while I have a couple small things to catch up on, I will make some time tomorrow night to see what's going on and if I can get things working.

[derrickpelletier]

I'm not surprised you didn't get a response, sadly. And congrats on the child!

I had a rudimentary library built becuase i was using the OAuth2 flow, and was planning on just ad hoc-ing it as I went, but it's so cumbersome to work with, and you've already done so much work I didn't want to waste anymore time. I can share what I have if any of it is helpful or if you get stuck—I can't remember how much trial-and-error was involved as it was from quite a while back.

I registered my app, and during registration, you choose your scopes. In my experience there's no need to specify your scopes during user authentication at all, but I could just be missing something.

The page specifies:

A scope is a permission setting that specifies access to a Yahoo user’s non-public data.

... so I'm not sure that's going to help with any of the public-data-issues request issues.

Or am I missing your meaning regarding the scopes looking promising?

---

Anyway, I think the idea of supporting both 1.0 and 2.0 is pretty viable, with caveat that 2.0 would be missing the public-subset.

And like I said, if you do figure out a plan to move forward but don't have time, just toss up some issues.

In the meantime I'll just downgrade to 1.0—hopefully temporarily :)

[whatadewitt]

I did some thinking this week... I'm gonna try to set things up like this:

Use OAuth1 for "public" queries. When users log in, I'll implement the OAuth2 flow. I don't LOVE this, but it will add more security for those who log in, and most of the time people will be logging in anyway...

I don't have a timeline on it, but I'm hoping to plug away at it in my free time. Keep your eyes peeled!

[whatadewitt]

Wanted to update anyone still interested. I am (I feel) pretty much done with the OAuth2.0 implementation. I have a few small things left to tweak... but I should be able to get this pushed up within the week, depending on how busy the paying job/kids keep me... but this is certainly exciting!

[whatadewitt]

closing as this has now been implemented...

[derrickpelletier]

Thanks @whatadewitt! Appreciate the work, will take a look at this soon.