Weblogs: Web Development

London Hackday: BBAuth and Yahoo Mail

Tuesday, June 19, 2007

BBAuth Authentication system

Dan Theurer covers Yahoo's BBAuth, authentication system. The main reason behind making this API available on the web is so that we can provide programmatic access to all data in Yahoo!. Using web services it makes it easy for third parties to integrate Yahoo data into their own services. It opens up Yahoo! data to mobile as well as desktop devices, and allows users to us data how they want.

September 2006 saw the first Open Hackday, and when the Mail API went live. At that point Yahoo! web services gets interesting, since we are no longer just reading or consuming data. BBAuth can be used to log into third party apps with a Yahoo API, making Single-Sign-On easy.

When using BBAuth on third party applications the process is as follows. When you click on the sign in link on a third party application you are redirected to a Yahoo! login page. The next page is one where you are asked to confirm that you are allowing a third party permission to use your login data. When you agree you are sent back to the original third party application.

The third party application then receives a unique token which is valid for two weeks. If requested, BBAuth can return a user hash. All method calls to the BBAuth API are signed with a secret value issued by Yahoo!.

The third party application then submits a signed appid and token, and BBAuth responds with a cookie and WSSID in the response body. Then the third party application can talk to the relevant Yahoo! endpoints (e.g. Mail API). The cookie is valid for one hour, and would need to be refreshed after that.

Mail API

Ryan Kennedy covers the Yahoo! Mail API. This was launched as a web service at the first Open Hackday in September 2006. March 2007 saw the release of version 1.1, which is the official release. The idea behind the Mail APIs is to treat mail as a platform, not just an application. Yahoo Mail has over a quarter of a billion users, and is the largest property in Yahoo!.

Treating mail as a platform is not a new concept. POP and IMAP interfaces have been available for years, and offer features like folders. Offering mail as a web service allows us to offer things IMAP and POP can't do well, for example the ability to strip javascript from HTML emails (as well as stripping out nasty stuff). Web services offer much richer services than IMAP.

The Mail Services is a Tiered service split into two groups, one that's available to all users, and a set of features that's only offered on premium mail accounts. The reason for the separation is cost - Mail is an ad-supported system; we want free users to come into the web system to read and compose mail.

With all mail accounts the following features are available:

Premium mail accounts offer the following extras:

What sort of applications can you build? Social applications - email is still the largest, and oldest, online social network). Separate user interfaces, like a more accessible or customised interface, or an interface from mobile phones. Desktop applications are possible, the login, using BBAuth is web based, so it needs a twist to integrate that into a desktop application.

Building headless applications isn't going to be possible because of the authentication system being web-based. It needs at a minimum for the user to login every 14 days.

The documentation is available on the Yahoo! Developer Network in the Mail API section. Sample code is available for .Net, Java, PHP, Perl, Python. Actionscript samples are coming soon.

Ryan also points out that there is a gallery of applications using the Mail API, so offers a good place to seek inspiration on using the MailAPI.

On the Sunday I was listening to a conversation Aral Balkan and Ryan Kennedy on the Actionscript sample code, its using the SOAP interface to call the Mail API. Aral is seriously considering adding the Mail API to his fantastic SWX framework, thus making the Mail API elegantly available on all Flash platforms, from Apollo, to browser plugin and mobile phones running Flash. This can make Yahoo Mail available on mobile phones, which to me is a spectacular feature.

[ Weblog | Categories and feeds | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 ]