Some More Advice When Using the Yammer APIs with .NET

I wrote this post a little while back here: https://blogs.technet.com/b/speschka/archive/2013/10/05/using-the-yammer-api-in-a-net-client-application.aspx, and I think I'm going to have to fall on the sword just a bit because I have some code in there that I think has people kind of turned sideways. I wanted to briefly cover the concept of access tokens, and how you should get them.

Now...in the code I posted the first thing I did was programmatically go through the process of obtaining an access token. In short, I simulated what would happen if you had a browser based application; in that case the user would be prompted with an OAuth dialog that says hey, do you want to let this application access Yammer on your behalf. When I first started putting this together I was just learning along the way so threw the code in there just to move past this step and get into "the good stuff". In retrospect, it *may* have been a mistake to include that code. It's interesting how many people have had issues with it, partially because it's a little complicated to wrap your head around the implementation, and partially because Yammer changed the login process after the code had initially been posted.

So with that backdrop, let me say this: if you are getting access tokens for your application, as a general rule you should get them manually and use a service account (preferred), or you should go through the browser and get a proper OAuth acceptance from your user. I know there are use cases where you will want to get this access token programmatically, I would just say that doing so should be a well-understood exception, not the rule. As I tried to point out in the post, there are inherent dangers with both approaches. If you use an access token, it's good forever so if someone gets their hands on it, then you have potential for data leakage (until you can suspend the account it's associated with). If you get the access token programmatically, then you need to have access to the user's username and password. That's even worse in my opinion, because generally that could grant you access to many other things besides just Yammer. Hopefully no one is regularly storing usernames and passwords around anymore anyways, it's just a terrible habit to be in.

So the net here is skip that part of the code unless you have a strong business case to do so. Use a service account (just a Yammer account that you create for your applications) whenever possible. When you need get per user data your first option should be to have the user OK the access and get your access token that way. Hopefully this all makes sense, and sorry for those of you who have labored with the code to work around it. Keep it around - it has a place - but just not in the general case.