May 19, 2009

OAuth Update #3, Revision A

All Yahoo! services using OAuth are now upgraded to the new OAuth 1.0a version of the protocol, resolving the session fixation security issue. The upgraded services include all Y!OS APIs (Contacts, Updates, Status, and Social Directory) and Fire Eagle. Users authorizing applications using OAuth 1.0a will not see the security interstitial screen that is displayed for apps that are still using the older 1.0 version of the protocol.

For a short transitional period, we will continue to display the security interstitial screen for applications using OAuth 1.0, however we will soon require all applications to use 1.0a.

Developers using Y!OS services should check out our updated OAuth documentation to see what’s changed in 1.0a, or you can just download and install the latest version of the Y!OS SDK to automatically upgrade your app to OAuth 1.0a, without any code changes.

Open standards like OAuth benefit from having security professionals throughout the industry review and participate in the design of the protocol, as opposed to proprietary protocols, which have only a very small number of expert reviewers. Yahoo! is committed to open standards. We value all the hours of effort the OAuth community put into revising the protocol after the session fixation security issue was discovered.

Keep on hacking!
Allen Tom

Architect, Yahoo! Membership

Posted at May 19, 2009 11:42 AM | Permalink

Bookmark this on Delicious

Comments