Reputation: 33
Yammer OAuth Impersonation Token Storage
I have started building a C# asp.net website that will have the ability to post directly into Yammer (we have Yammer Enterprise). I have used the REST api to create a post and have also been able to create in impersonation token to post on behalf of other users. It works fine, but reading the documentation, the tokens seem to have an indefinite lifetime. Forgive me is this is a stupid question, but is there an expectation that as a developer, I should store the token locally (eg in a SQL table) and reuse local version for future API calls? If the API call fails, then I assume I regenerate the token and re-store for future use? Thanks Andy
Upvotes: 3
Views: 626
Answers (1)
Reputation: 14579
Yes, these tokens don't expire until an account is suspended or deleted in Yammer, or the user manually revokes the app. Until that changes you need to be very careful with handling these tokens. Applying encryption, permissions, and other techniques to secure your app is the best way to protect them.
You might also consider storing the time when the token was acquired or last used. Then delete the token after a period if it hasn't been used. That will protect the user.
In your UI make it clear what your app does with Yammer so that users authorizing it are aware of what they are opting into.
Upvotes: 3
Related Questions
- yammer oauth2 returning 403 Client Error: Forbidden
- Yammer Impersonation As A Valid Admin
- Yammer REST API: How to get access tokens for external networks?
- yammer oauth against external network?
- Yammer unauthorized error despite having valid yammer token
- Yammer OAUTH 2.0 Resource Owner Password Credentials Grant
- How to get access tokens of users in external network?
- create users in yammer group without having the user sign and achieve it through impersonation
- How to use yammer's oauth2 from iOS?
- oAuth and Yammer