Using Impersonation with the Yammer APIs

One of the things that isn't particularly well known about the Yammer APIs is that its OAuth infrastructure does support a form of impersonation (at least that's how I describe it). This can be extraordinarily useful when you need to access data on behalf of another user and do so within the constraints of the content they have rights to see, as well as to create content as if it was posted by them. You'll find a small amount of documentation about this on the Yammer developer site at https://developer.yammer.com/authentication near the bottom of the page. In short, what you need in order to do this is a verified admin account, and then that account can get an access token on behalf of another user; all you need to know is that user's Yammer ID.

I covered the details on getting an access token for an account in one of my initial posts on Yammer here: https://blogs.technet.com/b/speschka/archive/2013/10/05/using-the-yammer-api-in-a-net-client-application.aspx. This particular post also resulted in some problems for folks trying to obtain access tokens by programmatically going through the OAuth app trust process that a user would click through in a browser. I further posted about some of the ramifications for doing this and suggested the preferred way of dealing with access tokens here: https://blogs.technet.com/b/speschka/archive/2014/02/06/some-more-advice-when-using-the-yammer-apis-with-net.aspx. This post sort of ties the concepts in the previous two together in that a) it relies up on using a single service account to work with data in Yammer and b) it uses one of the built in Yammer features to obtain an impersonation access token. So let's take a look at this in a little more detail.

As I mentioned above, you'll want to start by using a service account, and that service account needs to be an verified admin in your Yammer network. Once you have created and configured the account, I recommend using the methods I described in my previous posts to manually obtain an access token for it. Once you have that, the rest of the process is relatively straightforward. Let's suppose for the sake of illustration that you want to add a user to a Yammer group (not something we recommend doing by the way - we actually discourage it, but it's a simple API so is good for demonstration purposes). Assume the user has an ID of 150493 and we want to add him to a Yammer group with an ID of 123456. At a high level we're going to do this:

 

1) Make a request to the tokens REST endpoint and pass to it the ID of the user you want to get an access token for, the client ID of your application, and the access token of your verified admin.

2) Take the JSON you get back and extract from it the access token for the user. 

3) Make a POST request to the JSON endpoint to add the user to a group; send along the access token for the user that is being added.

 

See, not too bad. Here's what the code actually looks like, I'll add a couple of comments below.

string tokenInfo = MakeGetRequest("https://www.yammer.com/api/v1/oauth/tokens.json?user_id=150493&consumer_key=" + YOUR_CLIENT_ID, yourVerifiedAdminAccessToken);
List<YammerToken> tokens = JsonConvert.DeserializeObject<List<YammerToken>>(tokenInfo);

if (tokens.Count > 0)
{
     //success returns an empty string
     string addToGroupResponse = MakePostRequest("", "https://www.yammer.com/api/v1/group_memberships.json?group_id=123456", tokens[0].AccessToken);
}

Now a couple of things for discussion. First, this code uses the techniques that I describe in my original Yammer .NET post here: https://blogs.technet.com/b/speschka/archive/2013/10/05/using-the-yammer-api-in-a-net-client-application.aspx. For example - how do you get the user ID for a person? Well I describe some options in that first post; in this case I have a very small network so I had made a call to get all of the users in my network and then I found the one I wanted to use. When you look at that post you'll see that I serialize the data for users into an object that includes the ID so in my actual code I can just use something like YammerUser.UserID.

The next thing worth noting is that I'm again using the simplified methods I described in that post to work with the REST endpoints: MakeGetRequest and MakePostRequest. If you want more information on those then check out that first posting. Finally, I used the same methodology I described in that original post to serialize the JSON data that I got from requesting the access token for the user into a .NET object. That's where the List<YammerToken> call came from. This is a new call that I added serialization support for in this post so I've attached the class I used for serialization to this posting.

So, as you see, once you have the background and the code from the first Yammer .NET posting I did, the actual process for doing this kind of impersonation with the Yammer REST endpoints is pretty straightforward and easy. From searching to retrieving content, having the ability to impersonate another user can be quite valuable when building your Yammer applications.

 

 

YammerImpersonate.txt