Freigeben über


Some More Advice When Using the Yammer APIs with .NET

I wrote this post a little while back here: https://blogs.technet.com/b/speschka/archive/2013/10/05/using-the-yammer-api-in-a-net-client-application.aspx, and I think I'm going to have to fall on the sword just a bit because I have some code in there that I think has people kind of turned sideways. I wanted to briefly cover the concept of access tokens, and how you should get them.

Now...in the code I posted the first thing I did was programmatically go through the process of obtaining an access token. In short, I simulated what would happen if you had a browser based application; in that case the user would be prompted with an OAuth dialog that says hey, do you want to let this application access Yammer on your behalf. When I first started putting this together I was just learning along the way so threw the code in there just to move past this step and get into "the good stuff". In retrospect, it *may* have been a mistake to include that code. It's interesting how many people have had issues with it, partially because it's a little complicated to wrap your head around the implementation, and partially because Yammer changed the login process after the code had initially been posted.

So with that backdrop, let me say this: if you are getting access tokens for your application, as a general rule you should get them manually and use a service account (preferred), or you should go through the browser and get a proper OAuth acceptance from your user. I know there are use cases where you will want to get this access token programmatically, I would just say that doing so should be a well-understood exception, not the rule. As I tried to point out in the post, there are inherent dangers with both approaches. If you use an access token, it's good forever so if someone gets their hands on it, then you have potential for data leakage (until you can suspend the account it's associated with). If you get the access token programmatically, then you need to have access to the user's username and password. That's even worse in my opinion, because generally that could grant you access to many other things besides just Yammer. Hopefully no one is regularly storing usernames and passwords around anymore anyways, it's just a terrible habit to be in.

So the net here is skip that part of the code unless you have a strong business case to do so. Use a service account (just a Yammer account that you create for your applications) whenever possible. When you need get per user data your first option should be to have the user OK the access and get your access token that way. Hopefully this all makes sense, and sorry for those of you who have labored with the code to work around it. Keep it around - it has a place - but just not in the general case.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    January 01, 2003
    thanks
  • Anonymous
    February 18, 2014
    One of the things that isn't particularly well known about the Yammer APIs is that its OAuth infrastructure
  • Anonymous
    September 18, 2014
    The comment has been removed
  • Anonymous
    January 08, 2015
    m88 : http://m88en.com
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.
    m88asia : http://m88en.net
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.
    m88bet : http://www.linkm88vip.com
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.
    link m88 : http://m88wiki.com
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com

    Modern Thai restaurant combines outstanding traditional cuisine and a subtle modern decor with a warm welcoming ambience. Thai Restaurants in Brisbane :http://www.watersidethainoodles.com.au , traveller reviews of Brisbane Thai restaurants and search by price, location, and more..