Yahoo OAuth2 Implicit Grant flow not working for new yahoo app

落爺英雄遲暮 提交于 2020-08-24 07:40:06


I have existing web app and dedicated Yahoo App working. It uses OAuth2 Implicit Grant Flow

Now I want to set up another domain working by same principle. I have created new Yahoo App with new callback domain

Url used to get user consent (in both cases) is

It is working for old domain and old Yahoo App (Consumer key ends in --) But it doesn't want to work with new domain and new Yahoo app (Consumer Key does NOT end in -- for some reason).

I get this message after vising user consent link:

Developers: Please choose response types from code, token or id_token and submit again.

although I provided valid response_token. Do you know the reason why it's not working for new domain and new Yahoo app?


var authorizationUrl = ''
            + '?client_id=' + encodeURIComponent(consumerKey)
            + '&redirect_uri=' + encodeURIComponent(redirectUri)
            + '&response_type=token';, '_blank', 'location=yes,height=570,width=650,scrollbars=yes,status=yes');


Looks like the API is asking for the literal word "id_token" (or "code" or "token") as the response_type parameter. You didn't post your code, but it sounds like you're actually putting in a response_token id value for that parameter.

Looking at the Yahoo API documentation, here is a sample URL which is similar to yours:

You can see they wrote: &response_type=id_token, rather than &response_type=934984kklsdkjklfs or similar.

In general, OAuth API calls usually send back an access token or response token which is valid for your API session and eventually expires. This parameter is describing what type of token you want the API to return.

I can't talk to what might have changed between the 2 versions of your app, but I recommend that you check out the versioning and What's New section of Yahoo's API documentation.


You can provide 2 different values to the response_type parameter.

In the case of response_type=token - after redirection your redirect url should be appended the access token, like so:


However - this is deemed less secure than going the other way, since in this one you'd have the access token exposed. (As an example, browser plugins might have access to the URL - which they can take advantage of this then)

In the case of response_type=code - your redirect url should be appended a code, like so:


You would then retrieve that code from your server side, and send it to the OAuth2 provider (Yahoo in this case) with your client_id and client_secret, in exchange for an access_token. This is more secure, since only your server side now has access to the access_token and not any other mechanism. Conventionally it would be a post request to some yahoo endpoint like this:
  url: 'someyahoourl', /* probably something like */
     client_secret: yourclientsecret,
     client_id: yourclientid, /* Judging by the url it's dj0yJmk9WGx0QlE0UWdCa0hKJmQ9WVdrOWNrNUhXVnBhTkhFbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD01OA-- */
     code: thecodefromurl,
     grant_type: 'authorization_code',
     redirect_uri: the redirect uri that you've retrieved the code from

And then your server would get the access_token in response to this request.