OAuth implementation at Yandex
Yandex services use tokens to authorize applications. Each token is a digit-letter sequence in which the following information is encrypted:
ID of the account that can be accessed.
ID of the application with access rights.
Set of rights (actions available to the application).
The general rules for using Yandex OAuth tokens are described below.
Applications request tokens the following way:
The application includes the token received in the request to the Yandex service that supports OAuth.
The received token can be saved in the app and used for requests until its lifetime expires.
The token lifetime is the period during which the token can be used for authorization. The maximum lifetime depends on the rights selected when registering the application:
- Eternal token
Never expires and can be revoked only by the user.
When registering the app, the "infinite" lifetime is displayed.
- Renewable token
Expires after a few months, but is renewed every time you log in with this token.
When registering the app, the minimum lifetime is displayed, for example, “at least 1 year”.
- Restricted token
Expires after the time set for the corresponding access rights.
If several such rights were selected when registering the app, the token is set to the lowest lifetime limit. Let's say access rights to Yandex.Metrica are issued for 1 year, and the rights to use Yandex.Mail office are issued for 180 days. This means that the access token for both Yandex.Metrica and Yandex.Post Office will be valid for up to 180 days.
Revoking the token
The user can revoke any OAuth tokens issued for their account:
- To revoke tokens issued for an account, the user needs to change the password or log out on all computers.
- To revoke tokens issued for a specific application, the user can deny access to it on the Access control page.
The app can revoke its own token if it was issued for a specific device.
All cases of revocation are listed on the Token revocation page.