Without OAuth, applications would have to ask for the user's email address and password. These credientials would get stored on various devices. The only way for the user to revoke access, would be to change their password. With OAuth, the user knows the only place they should ever enter their Yammer email address and password is in a browser they trust. No passwords are stored on devices. If the user wants to revoke access to a certain client, they can do it from the yammer.com site without affecting other clients.
The following steps below walk through how to use OAuth with the Yammer api.
After filling out this form you will receive a key and secret. If you misplace these values you can see them again.
Note: your key and secret will only work for your Yammer network.
If you want your application's key and secret to work across ALL Yammer networks, you must request this.
For this example my key is:
AMbmZSOP3wHm1cjfvSsRg
And my secret is:
yLDH5eLS4uUVa3vVbNxvDX9B8aFgnwRSFla3jph9y90
Normally you would not reveal these values to the public. But these values and this test app is just for testing.
Choose a programming language and an OAuth library.
You can use Java, PHP, Objective-C, Ruby, Python, Perl, etc. Any language that can make HTTP connections should work. And if there is no OAuth library available, you can write your own. In this example we write all the oauth logic oursevles, but it's very simple. By using the PLAINTEXT signature method we eliminate a big part of the complexity and show you how to debug your program. You can also use an oauth library to handle all the signature methods with PLAINTEXT or HMAC-SHA1. If you are having problems, try writing your own oauth logic with PLAINTEXT as a starting point to find the problem. There is nothing wrong with using PLAINTEXT for real, since yammer uses the https protocol.
CONSUMER_KEY = 'AMbmZSOP3wHm1cjfvSsRg'
CONSUMER_SECRET = 'yLDH5eLS4uUVa3vVbNxvDX9B8aFgnwRSFla3jph9y90'
Different languages will have differnent ways of making constats. The above example is "puesdo-code" as is the rest of the code in these steps.
Make an HTTP POST with a special oauth header to get a request token:
http.setURL('https://www.yammer.com/oauth/request_token')
http.setHeaderField('Authorization', oauth_headers(null,null,null))
http.setMethod(POST)
The method oauth_headers takes a token, a token secret, and a verifier. For the first request we pass in null,null,null since we don't any of these values yet.
String oauth_headers(String token, String token_secret, String verifier) {
buff.append("OAuth realm=\"");
buff.append("\", oauth_consumer_key=\"");
buff.append(CONSUMER_KEY);
buff.append("\", ");
if (token != null) {
buff.append("oauth_token=\"");
buff.append(token);
buff.append("\", ");
}
buff.append("oauth_signature_method=\"");
buff.append("PLAINTEXT");
buff.append("\", oauth_signature=\"");
buff.append(CONSUMER_SECRET);
buff.append("%26");
if (token_secret != null) {
buff.append(token_secret);
}
buff.append("\", oauth_timestamp=\"");
buff.append(currentTime);
buff.append("\", oauth_nonce=\"");
buff.append(currentTime);
if (verifier != null) {
buff.append("\", ");
buff.append("oauth_verifier=\"");
buff.append(verifier);
}
buff.append("\", oauth_version=\"1.0\"");
return buff.toString();
}
The data sent over the wire should be very similar to:
POST /oauth/request_token HTTP/1.1
User-Agent: Some Yammer Client
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="", oauth_consumer_key="AMbmZSOP3wHm1cjfvSsRg", oauth_signature_method="PLAINTEXT", oauth_signature="yLDH5eLS4uUVa3vVbNxvDX9B8aFgnwRSFla3jph9y90%26", oauth_timestamp="1229537444", oauth_nonce="1229537444", oauth_version="1.0"
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
You can use wireshark or fiddler or charlesproxy to see this data. Either by changing https://www.yammer.com/oauth/request_token to http://127.0.0.1/oauth/request_token and running a local webserver. Or by intercepting the requests to yammer.
The data that comes back is just text like so:
oauth_token=Fnxef0Gju2zIDQLnh33UKg&oauth_token_secret=qbwGdSFbnOtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g&oauth_callback_confirmed=true
If you get an error message instead of a value for oauth_token and oauth_token_secret, go back and review the steps above. If you do get values, save them to disk, you'll need them for the next step.
Send the user to a browser with the request token so he or she can authorize the request.
browser.openToURL('https://www.yammer.com/oauth/authorize?oauth_token=Fnxef0Gju2zIDQLnh33UKg')
Notice the oauth_token Fnxef0Gju2zIDQLnh33UKg is the same value we got from step 4.
After they clicked "authorize" in the browser the user gets a four digit code and you should be back in your app. You'll know this is not the first time the user has entered the app because there is a request token on disk. Time to turn this request token into an access token.
http.setURL('https://www.yammer.com/oauth/access_token)
http.setHeaderField('Authorization', oauth_headers('Fnxef0Gju2zIDQLnh33UKg','qbwGdSFbnOtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g', '1234'))
http.setMethod(POST)
This time we pass in values for token, token_secret and verifier to oauth_headers. The 1234 is the four digit code the user got after clicking authorize. The data sent over the wire should be very similar to:
POST /oauth/access_token?callback_token=1234 HTTP/1.1
User-Agent: Some Yammer Client
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="", oauth_consumer_key="AMbmZSOP3wHm1cjfvSsRg", oauth_token="Fnxef0Gju2zIDQLnh33UKg", oauth_signature_method="PLAINTEXT", oauth_signature="yLDH5eLS4uUVa3vVbNxvDX9B8aFgnwRSFla3jph9y90%26qbwGdSFbnOtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g", oauth_timestamp="1229537445", oauth_nonce="1229537445", oauth_verifier="1234", oauth_version="1.0"
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
The data that comes back is just text like so:
oauth_token=BDzef0Gju2zIDQLnh33UKg&oauth_token_secret=aewBdSXbnPtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g
Delete the request token from disk and save this access token to disk. You'll use this access token from now on for each request.
With valid access token, make some simple GET api requests.
http.setURL('https://www.yammer.com/api/v1/messages')
http.setHeaderField('Authorization', oauth_headers('BDzef0Gju2zIDQLnh33UKg','aewBdSXbnPtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g', null))
http.setMethod(GET)
This will return a list of current messages.
Post a new message:
http.setURL('https://www.yammer.com/api/v1/messages')
http.setHeaderField('Authorization', oauth_headers('BDzef0Gju2zIDQLnh33UKg','aewBdSXbnPtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g', null))
http.addParameter('body', 'test message')
http.setMethod(POST)
When using PLAINTEXT signature method, the parameters you add to a POST do not affect the signature. This is not true when using HMAC-SHA1. PLAINTEXT is much easier to debug and since yammer uses https, it's safe to use PLAINTEXT.
Hopfully the above steps will work for you in your programming language. For more help, try the Yammer Forum and below is a complete example in ruby.