OAuth implementation at Yandex

Yandex services use tokens to authorize apps via the OAuth 2.0 protocol. Each token is an alphanumeric string with the following information encrypted in it:

  • ID of the account that was allowed to be accessed.

  • ID of the app that was granted access.

  • Set of permissions (actions that the app can perform).

Below are general guidelines for using Yandex OAuth tokens.

Authorization process

The following diagram illustrates how apps request tokens:

  1. The app directs the user to the OAuth server. On the page that opens, the user can grant the app access to specific data from their account. The app can ask for permissions that were set when registering the app:

    • All the permissions specified at the time of app registration. In this case, the user can only grant or deny all requested permissions at once.
    • Only the permissions that are currently required from the list added at the time of app registration. In this case too, the user can only grant or deny all requested permissions at once.
    • Permissions that are currently required from the list added at the time of app registration and optional permissions from the same list. An example of an optional permission is access to the user avatar. In this case, the user can grant all the required permissions at once and select which of the optional permissions to grant.

  2. The user allows access to their data and is redirected by the OAuth server to the address that the developer set: Redirect URI.

    The redirect URL includes the issued token or the code for obtaining it. If an error occurred, the URL includes the error message.

  3. The app includes the obtained token in the request to a Yandex service that supports OAuth.

You can save the token in the app and use it for requests until it expires.

Token lifetime

The token lifetime is the period during which you can use the token for authorization. The maximum lifetime depends on the permissions selected when registering the app:

Renewable token
Expires after a few months but is renewed every time you perform authorization with this token.

When registering the app, the minimum lifetime is displayed, such as at least 1 year.

Restricted token
Expires after the time set for the relevant permissions.

If several permissions were selected when registering the app, the token is set to the lowest lifetime limit.

Revoking the token

The user can revoke any OAuth tokens issued for their account:

  • To revoke all the tokens ever issued for their account, the user can change the password or log out on all devices.
  • To revoke the tokens issued for a specific app, the user can deny access for it on the Data access rights page.

An app can revoke its own token if it was issued for a specific device.

All situations where tokens get revoked are listed in Revoke tokens.

User interface

The page where the user can grant access to the app (the first step of authorization) displays the app name and the list of requested permissions:

image

When the user confirms they want to log in, the OAuth server redirects them to the address specified as the Redirect URI.

Previous
About
Next
Terminology