Via Jeremy Zawodny I noticed that Yahoo! has finally launched their Browser Based Authentication (BBAuth) system which they announced at ETech earlier this year. What does BBAuth do?
To use BBAuth, you'll need to do the following:
- Register your application
First you need to register your
application with Yahoo!. The process requires
that you describe what your application does, provide contact
information, set your application's endpoint URL, and select the
Yahoo! services to which your application needs access. Some services
may divide their API calls into subsets, or scopes. For
example, a service might group its read-only methods into a
When you complete registration, Yahoo! provides you with an
application ID and shared secret for making authenticated
- Log in your users
Your application cannot access a user's personal data until
the user grants your application limited access to their data.
To do this you must direct your
users to a specialized Yahoo! login page. Once the user enters their Yahoo!
user ID and password, Yahoo! displays a Terms of Service page and lists the data
which your application may access. If the user grants your application access,
Yahoo! redirects the user to your site. The redirect URL contains a token that
you use to retrieve the user's credentials.
- Use the user's credentials to make web service calls
Now that you have the user's
token, you can use
it to retrieve an auth cookie and a WSSID,
which together represent the user's credentials. The user's credentials last
for one hour, and you must supply them for each authenticated web service call.
This is very similar to Google Account Authentication Proxy for Web-Based Applications. However Yahoo! doesn't seem to have a good story for desktop applications that want to use their APIs on behalf of a user (e.g. a desktop photo management application that wants to upload photos to a users Yahoo! Photos account). On the other hand, Google's authentication system for developers actually does cover the desktop case with Account Authentication for Installed Applications which even goes as far as incorporating CAPTCHAs which the desktop app needs to show to the user as they log them in. The only problem is that unlike the Web case, the desktop application actually collects the username and password which I've already mentioned is a big no-no. However the alternatives have trade offs which I can't blame the Google folks for rejecting. I still can't come up with a solution to this problem that I am 100% comfortable with.
Props to the folks at Google and Yahoo! for opening up their systems in this way. One thing I definitely don't like is that both Google via Google Account Authentication and Yahoo! va BBAuth have shipping code that allows developers to authenticate users that use their services while at Microsoft we're still just talking about it. We need to up our game.