Getting client secret for Yahoo OAuth

I want to add support for Yahoo OAuth in my app. There is a Developer website at which looks way less insane than the Microsoft website. I need a client key and a client secret. But the client secret is so secret that I don’t see it even once. I deleted the app and tried again but no dice.

What am I doing wrong?

There is just a button “create app” and the result is the following:

Did you select the “Confidential” or the “Public” Client for your app? With the confidential client selected for my app I see the secret right below the Client ID.

Arghh… I always call myself “form challenged”. But in which universe does it make sense to use the option " Confidential Client - Choose for traditional web apps" for a desktop app???

1 Like

I was confused by the description too. It didn’t work with the public profile so I just tried the other one for my mobile app and it worked.

You choose confidential when you have a server that will complete the OAuth flow. The server’s code has the secret, so you are able to keep it confidential. If the client completes the flow - such as a single-page website or an app - you want a public client since there is no way to keep the secret secure. This would include non-web Xojo apps.

Technically, a public client is less secure without the secret, but it’s better to allow potential impersonation than to reveal the secret and get impersonated anyway.

I’m planning to implement this code here: Xojo Plugin Yahoo Mail OAuth2 Access Token for Desktop App

So I haven’t a clue what you mean.

Your client is not confidential, since (unless I’m mistaken) you need to include the secret in your app.

Looking at the Chilkat docs, I can’t tell wether or not it requires the secret. It should be optional, but the docs don’t say. Public / no secret usage is a perfectly valid and spec-compliant option.

Thanks, I’ll try both. I just thought if a secret is in the example I need to use it. For both Goggle and Microsoft I have ClientID and ClientSecret.

Yeah, as I mentioned, the secret is used when you can secure it such as on a web server where it never gets exposed to the client. When included with an app, that isn’t secured. So the OAuth spec says to just not use it. Yeah you can obfuscate it, but that’s not actual security.

Now, if Chilkat requires the secret, you might pester the author about supporting public clients. But he has a long message in the docs about all this, so he’s already aware. Using a secret won’t make you worse off if that’s the route you have to go. It’s just kind of pointless. Kind of like using two ids.

1 Like

Thanks for the explanation!