How can Yahoo Mail be accessed by IMAP using OAuth or OAuth2 authentication

Question

According to developer.yahoo.com/mail/ and IMAP responses:

* OK [CAPABILITY IMAP4rev1 ID MOVE NAMESPACE X-ID-ACLID UIDPLUS LITERAL+ CHILDREN XAPPLEPUSHSERVICE XYMHIGHESTMODSEQ AUTH=PLAIN AUTH=LOGIN AUTH=XOAUTH2 AUTH=XYMCOOKIE AUTH=XYMECOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI] IMAP4rev1 imapgate-1.8.1_01.20166 imap1009.mail.ne1.yahoo.com

Yahoo Mail can be accessed by IMAP using OAuth(2) authentication.

I registered my app on https://developer.yahoo.com/apps/ so I have got Client ID and Client Secret. I didn't find any scopes(API Permissions) related to Mail. Nevertheless I selected all API Permissions which were presented when I registered my app.

I tried to implement both OAuth and OAuth2.

OAuth2: I cannot get the authorization code for scope "mail-r". When I generate URL(https://api.login.yahoo.com/oauth2/request_auth?client_id=CLIENT_ID&redirect_uri=oob&scope=mail-r&response_type=code) and open it in browser, the page with text "Developers: Please request scope from registered scopes and submit again." is displayed. It works for other scopes. For example, I'm able to get the authorization code for "sdct-r"

OAuth: I'm able to get an access token. But when I send it with AUTHENTICATE XOAUTH2 command, I get "NO [AUTHENTICATIONFAILED] (#AUTH007) Bad scope" response.

So questions is what scope(s) should be set to access Yahoo Mail using IMAP and OAuth(2)?

Answer 1

Update February 27, 2017: This work-around will not work anymore as Yahoo has unfortunately taken down the cck-form.html page referenced below and does not seem to allow new apps to request mail related API access. Hopefully this changes.

Here is how you can create an App on yahoo with full access to emails. (recently yahoo remove this option from their UI) once proper permissions are in place, getting oauth tokens and accessing mail boxes should be straight forward and I am not covering it here.

1. Visit https://developer.yahoo.com/oauth/guide/cck-form.html and look for "Here is an example form along with sample values you can use in the form" and copy the example html into a local file and save it. A Copy of the html is available below.

2. Open the file on browser. fill appropriate info (set scope=ymrf for full mail access) and click on "pop window with debug".

3. Click on allow on the popup window. Sign in is required if you did not already login to yahoo on the browser.

go to https://developer.yahoo.com/apps/ and you should see your app with appropriate permissions.

<html>  
<head>  
    <title>CCK Example</title>  
</head>  
<body>  
  
<form target="yCredWindow" action="http://developer.apps.yahoo.com/projects/createconsumerkey" method="post" id="extAuthForm" name="extAuthForm">  
  
<h2>Inputs</h2>  
<p>* = Required</p>    
<table>  
    <tr><th>Field</th>  
        <th>Input</th></tr>  
  
    <tr><td>* Application Name: </td>  
        <td><input name="name" id="name" value="Janrain Engage"></td></tr>  
  
    <tr><td>Description: </td>  
        <td><input name="description" id="desc"></td></tr>  
  
    <tr><td>appid: </td>  
        <td><input name="appid" id="appid"></td></tr>  
  
    <tr><td>Return to: </td>  
        <td><input name="return_to" id="return_to"></td></tr>  
  
    <tr><td>* Third Party Name: </td>  
        <td><input name="third_party" id="third_party" value="Janrain"></td></tr>  
  
    <tr><td>* Scopes: </td>  
        <td><input name="scopes" id="scope" value="ysrw"></td></tr>  
  
    <tr><td>Favicon URL: </td>  
        <td><input name="favicon" id="favicon"></td></tr>  
  
    <tr><td>Application URL: </td>  
        <td><input name="application_url" id="application_url"></td></tr>  
  
    <tr><td>* Domain: </td>  
        <td><input name="domain" id="domain" value="www.janrain.com"></td></tr></table>  
  
<input type="hidden" name="debug" id="debug" value="true">  
  
<button type="reset">clear all fields</button>  
<button type="button" id="submitWithDebug">pop window with debug</button>  
</form>  
  
<h6>Note: A URL that starts with http:// is required for: Return to, Favicon URL and Application URL.  However, you will get an error if you include http:// for the Domain.</h6>  
  
<h2>Returns</h2>  
<table>  
    <tr><td>Key returned:</td>  
        <td><input type="text" id="cKeyInputField"></td></tr>  
  
    <tr><td>Secret returned:</td>  
        <td><input type="text" id="cSecretInputField"></td></tr>  
  
    <tr><td>Appid returned:</td>  
        <td><input type="text" id="returnAppid"></td></tr></table>  
  
<script src="http://yui.yahooapis.com/3.0.0/build/yui/yui-min.js"></script>  
<script>  
  
var formTarget = null;  
  
// used by return_to.html to set the fields with the data that comes back  
var setFields = function(id, val)  { document.getElementById(id).value = val; };  
  
// pops the window, then submits to it  
var popWindowOnSubmit = function(e)  {  
    window.open('', formTarget, 'status=0,toolbar=0,location=0,menubar=0,width=545,height=650');  
    document.extAuthForm.submit();  
};  
  
// handle submit when the button is clicked  
YUI().use('node', function(Y) {  
    formObject = Y.one('#extAuthForm');  
    formTarget = formObject.getAttribute('target');  
    Y.on('click', popWindowOnSubmit, '#submitWithDebug');  
});  
  
</script>  
  
</body>  
</html> 

Answer 2

As of august 2017, the only way to get the Email address is to use the scope called Profiles - Read/Write Public and Private. A very stupid choice of misleading options by Yahoo, since we don't want to "write" anything at all.

As a bonus headache, this will also return a list of all emails associated with the account, not just the main one. And there's no way to accurately identify which is the real one - the primary=true field returned in the list cannot be trusted.

Answer 3

You have to add the "Mail Read-Only" scope when you're creating/configuring the app on https://developer.yahoo.com/apps/.

Unfortunately, when I just tried to do that on a newly created app, the option wasn't available.

You may have to get in touch with Yahoo to have them allow you to request these scopes.

Answer 4

you have to add scope=openid while hitting authorization endpoint, then after obtaining the token after hittng token endpoint, hit profile endpoint with the obtained access token, then we get emails under profile json object

Answer 5

In order for you to see the mail checkboxes in the list of potential scopes, Yahoo have to white-list your developer account. I could not find any documentation about this, or instructions for how to ask for it, so I can't back this up with any documentation.

Answer 6

I have found another way to create an app with the Mail API permissions enabled. I noticed if you include an 'api' parameter in the URL you can specify which scopes you want to include regardless of whether they are checked at the bottom. I noticed if you provided 'api=mail' in the URL it defaults to include Mail permissions. So to create a new app with Mail permissions use this URL:

https://developer.yahoo.com/apps/create/?api=mail