Brennan’s Blog

I have been working with BBAuth in an attempt to integrate various Yahoo services with my own ASP.NET 2.0 websites. Initially it appears that only Yahoo Photos, which has a new interface, is set up to work with BBAuth so far. It does not work with Flickr, Yahoo Groups, or other services. I hope and expect more services to be integrated with BBAuth very shortly.

So far I have found BBAuth to be a very unnatural system for development. The authentication system works using a key which is bound to a hostname. This makes it nearly impossible to develop an integration locally with Visual Studio. I suppose if I was adjusting PHP scripts on the server it would not be such a big deal, but I have no intention of installing Visual Studio on my server. Instead I complete my changes, run an MSBuild script to compile and package the website, upload it to the server, deploy the changes and then test them. All in all it takes me several seconds to go from build to deployment so it has not been impossible, but it is not nearly as natural as developing a typical ASP.NET website. After a few hours this routine becomes quite undesireable.

At one point I attempted to take the authentication token provided to the public hostname and drop it into a locally running website. With Visual Studio, such a website would be running from and address such as http://localhost:54461/Website/ which clearly does not match the public hostname. Once I tried it I got a server error. And for the rest of the evening I got a server error locally and from my public server. Perhaps I tripped a security mechanism which locked out my account for the next several hours. I have no idea. It has discouraged me from trying that again for a while.

I am also trying to follow the code samples closely but I have run into a major problem. When Yahoo redirects back to your public server it provides a query string including a token. According to the sample code I should be able to validate the query string with a signature value to verify that it did come from Yahoo without modification. That is not working. But if I ignore that the signature is not valid, I can still use the token to access Yahoo Photos on the behalf of the user. I have submitted a question to the discussion group about my problem an look forward to the problem being resolved.

At this point I am accessing services and pulling back data as DataSets. I still largely code blind, but if I know the structure of the DataSets it makes it a lot easier to develop controls which display the data.

To view all of the DataSets for all of the services I created a User Control which has a single Panel named Panel1. It then uses the code below to bind each DataTable in the DataSet to a separate GridView instance which autogenerates the columns. I then make use of a property, YahooServiceUrl, which has attributes telling it how it should appear in the Properties window when the User Control is included in a page. I drop the User Control onto a page for each service and set the service Url. By coding against the output on these screens I should have a set of controls shortly.

try
{
	DataSet dsServices;
	dsServices = auth.GetAuthenticatedServiceDataSet(new Uri(YahooServiceUrl));

	foreach (DataTable dt in dsServices.Tables)
	{
		Label label = new Label();
		label.Text = dt.TableName;
		GridView gv = new GridView();
		gv.ID = dt.TableName + "GridView";
		gv.DataSource = dt;
		gv.DataBind();
		Panel1.Controls.Add(label);
		Panel1.Controls.Add(gv);
	}

}
catch (Exception ex)
{
	//TODO log error for YahooServiceUrl
}

private String _serviceUrl;

[Category("Behavior"),Browsable(true),DefaultValue("")]
public String YahooServiceUrl
{
	get
	{
		return _serviceUrl;
	}
	set
	{
		Label1.Text = value;
		_serviceUrl = value;
	}
}

[UPDATE]

A quick fix now allows the Url to validate. It seems that Default.aspx is inserted into the Url as a result of the redirect through IIS. The signature was created before that addition so it obviously cannot be valid. The following code allows the validation to work. I got some great help from the discussion group.

string signedUrl = applicationEntryPoint + context.Request.Url.Query;

if (auth.IsValidSignedUrl(new Uri(signedUrl), sharedSecret))
{
	Logger.Info("Successful Login!");
}